In the weeks following a defective software update that disrupted several industries globally, including financial services, aviation, retail, and emergency services, remediation efforts remain ongoing while organizations look to their supply chains to identify vulnerabilities and possible mitigants for future disruptions. The incident provided a stark warning of the criticality of businesses’ resilience, including “operational resiliency,” which extends to an organization’s ability to identify and prevent disruptive events, and not just how it responds to and recovers from them.
The concept of “resiliency” is one that has been at the heart of cybersecurity planning and services and which has also been adopted by many regulators around the globe when considering organizations’ abilities to continue delivering services when faced with such an event.
In this LawFlash, we look at current trends and outlooks and how organizations may in the future contract with and manage their third-party suppliers in order to align with their wider resiliency posture.
On July 19, 2024, an update to widely used security software, which was designed to protect customer systems by identifying and remediating advanced threats, caused global systems with such software built into them to crash, producing a “blue screen of death” for end users.
On August 6, a root-cause analysis was published by the relevant software provider, which attributed this event to, among other factors, a mismatch between input parameter fields and input values within the upgrade code. The error seemingly evaded multiple layers of build validation and testing and even several successful deployments of the update. Another key factor was that the upgrade was pushed out to nearly all customers at once.
Upon discovery of the issue, the software provider issued regular publicly available updates on the incident and its efforts to resolve it.
Notably, the disruption was not caused by malware or a similar malicious attack.
Resiliency has increasingly become central to third-party risk management and supply chain design in recent years. Geopolitics and the COVID-19 pandemic had a directional impact, highlighting challenges such as supplier or geographic concentration and shifting work patterns; one survey found that 97% of organizations in the Americas have made changes to their cybersecurity policies since the start of the pandemic in order to support remote working.
Businesses understand that they must plan for “low probability, high impact” events now more than ever. From a third-party risk management perspective, this places a particular emphasis on ensuring that organizations have contract terms in place with their suppliers (and that, as highlighted by this event, flow down to sub-suppliers) that can enable the organization to achieve its own resiliency objectives.
Resiliency-related contract requirements largely develop on long-standing contract provisions, such as disaster recovery and business continuity response provisions and audit provisions that allow organizations to monitor their suppliers. A holistic view of resiliency would lead organizations to apply such terms uniformly across suppliers (e.g., broadly the same audit rights no matter the nature of the service or supply, uniform recovery timeframes) and that appears to be how many organizations are looking to implement their third-party risk management controls. At the same time, however, suppliers have sought to create uniformity of their own supply terms, in particular “as a Service” and cloud providers.
We find that this is an area in constant flux, with the vendor community acknowledging the changes faced by their customers. Key to aligning contractual provisions with a customer’s and a supplier’s competing goals of uniformity is the mechanisms for change under the contract, and we are seeing challenging discussions being had as change is implemented.
Entrenched approaches (from customers and suppliers) may result in significant challenges to agreeing on contract amendments where required or to get to contract at all, and may also lose sight of both an industrywide view (by the supplier) and gaining a proper understanding of how solutions are integrated within operations (by the customer).
Now more than ever it is extremely crucial to understand a customer’s industry and how solutions and/or services are integrated in their operations in order to address the evolving challenges of ensuring business resiliency.
As mentioned above, the key contract terms are disaster recovery and business continuity response provisions and audit provisions. The extent of audit rights is currently one of the most closely negotiated areas, with challenges largely arising with respect to audits of multitenant environments.
Other contract areas of critical importance to achieving resiliency include the following:
In parallel with the operational provisions, risk allocation is central to contracting considerations. An incident that takes out core IT systems could have a direct impact on customer services, resulting in real economic losses for the affected organizations.
Customers will want to consider whether they can recover certain types of losses (and to what extent) given financial limits and exclusions of liability. Conversely, technology vendors will have to consider what type of losses they might face if a customer is unable to service clients as a result of technology failure (whether caused by the vendor or the vendor’s subcontractor(s)).
Technology and outsourcing advisories are reporting on a trend for organizations to bring IT and business process services back in house. While such trends are never one-directional, we have seen a greater push for the establishment of captives or “global capability centers,” which effectively keep in-house (or largely do so) services even while organizations look to take advantage of talent centers and wage arbitrage.
The operational attraction of building a delivery center to which an organization can simply flow through its established resiliency procedures is a key factor, not just the increased opportunity to automate (facilitated through AI). The supplier community is no doubt taking resiliency into consideration when responding to customer demands.
For affected businesses, and particularly those in regulated industries, the disruption has highlighted themes around operational resiliency that policymakers and regulatory authorities have also been considering in recent years.
In financial services, the incoming EU Digital Operational Resilience Act represents the most comprehensive legislation focused on operational resilience and third-party IT services. Regulators in the United States are similarly increasing their focus on issues of resiliency; as one example, acting Comptroller of Currency Michael Hsu indicated in a March 2024 speech that new regulations to strengthen baseline operational resilience for larger depository institutions may be forthcoming by the end of 2024.
In addition to regulators, we are seeing industry groups increasingly focus on resiliency in many sectors, including aviation, health services, life sciences, and pharma. These industry groups are in many cases taking their cues from regulatory developments in other sectors, and our view is that the technology industry is (at different speeds and in different ways) as a whole shifting its focus on resiliency.
As the dust settles on the most recent, and reportedly the worst, example of global IT disruption, resiliency considerations within third-party risk management and supply chain design will very likely continue to take center stage. Morgan Lewis lawyers stand ready to assist organizations in navigating this evolving landscape.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following: