Whenever data leaves the control perimeter of a company, there is a risk that the data will not be protected at the same level of security that is required by company policy. It is essential that data created, stored, manipulated or transmitted by a third party on the company’s behalf be accorded the level of protection that is defined by the company’s standards and policies. In addition to customer service and reputational consequences, your company will normally be liable for any breaches or errors by a third-party service provider as if they had resulted from a breach or error on the part of the company. (Note that a company may also have recourse against the service provider, depending on the terms of the contract.)
Before entering into a contract with a third-party service provider, it is essential to perform due diligence on the prospective supplier. The items below should be considered, but note that other factors may be applicable as well.
- Experience and technical competence
- Pricing and likely cost under various business scenarios
- Financial strength (if possible, review the supplier’s audited financial statements and other relevant information)
- Business reputation
- Referrals and references from existing customers, preferably similar in size to your company
- Complaints and any pending litigation
- Internal controls, reporting and monitoring environment
- Ability to change providers (e.g., to terminate the contract in an orderly manner)
- Business contingency measures, including recovery testing, for ensuring the continuation of the outsourced activity in the event of problems and events that affect operations such as a systems breakdown, natural disaster, inability of a significant subcontractor to provide services, etc.
- Reliance on and success in dealing with subcontractors (if applicable)
- Insurance coverage
The contract and related documentation, such as the service level agreement (SLA), with the service provider are the first step in ensuring adequate controls. The details may be included in the SLA or in the contract itself. The contract with the provider
should, among other things, cover the matters set out below. This list is not exhaustive; there may be other items that relate to a particular situation. (“The contract” includes other documents executed pursuant to the contract, such as the SLA and other items.)
Nature and scope of services provided
The contract should set out the scope of the relationship, which may include provisions that address the frequency, content and format of the service being provided.
The contract should fully describe the basis for calculating fees and compensation relating to the service being provided.
Data management best practices
The contract should provide for data management best practices, including:
- Data processing integrity and validation
- Data backup, both local and off-site
- Data security and confidentiality corresponding to company-specified data classifications
- Data encryption for all transmissions across potentially hostile environments such as the Internet
- Data exchange compatibility with company systems and applications
Performance measurements should be set out so that each party can determine whether the commitments contained in the contract are being fulfilled.
The contract should specify the type and frequency of information received from the service provider. This would include reports that allow an assessment as to whether the performance measures are being met. In addition, the contract should include procedures and requirements for the provider to report events that may materially affect the delivery of the service.
Ownership and access
Identification and ownership of all assets (intellectual and physical) related to the outsourcing arrangement should be clearly established, including assets generated or purchased pursuant to the outsourcing arrangement. The contract or outsourcing agreement should state whether and how the service provider has the right to use the customer’s assets (e.g., data, hardware and software, system documentation or intellectual property) and the customer’s right of access to those assets.
The contract should set out any rules or limitations to subcontracting by the service provider. In particular, security and confidentiality standards should apply to subcontracting or outsourcing arrangements by the primary service provider.
Confidentiality and security
The contract should set out the customer’s requirements for confidentiality and security. The security and confidentiality policies of the service provider should be consistent with those of the customer. The contract should address which party has responsibility for protection mechanisms, the scope of the information to be protected, the powers of each party to change security procedures and requirements, which party may be liable for any losses that might result from a security breach and notification requirements if there is a breach of security.
The contract should outline the service provider’s plans for ensuring the continued operation of the outsourced activity in the event of problems that may affect its operation, including systems breakdown, natural disaster and other foreseeable events. The customer should be notified in the event that the provider makes significant changes to its business contingency plans.
A third-party service provider should disclose general terms and conditions of the insurance coverage and notify the customer about significant changes to its insurance coverage.
Defaults and termination
The contract should set out what constitutes a default, identify remedies and allow for opportunities to cure defaults or terminate the agreement. Appropriate notice should be required for termination of service and the return of data and records to allow the customer to continue business operations without prohibitive expense.
The contract should set out a process for resolving disputes, including the jurisdiction and rules under which a dispute will be settled.
It is also very important that the handling of the company’s data by a third-party service provider be reviewed periodically to ensure that the contractual terms are being observed.
Information Technology PolicyPro
Managing IT risks and cyber security are essential in today’s business environment. You need to be ready when the unexpected occurs. Information Technology PolicyPro provides a practical and effective way of designing, implementing and reviewing controls over your IT in the context of your overall business strategy.
Jeffrey is a popular presenter, and was an adjunct professor at York University for 15 years. He is a frequent course director and course author for many organizations, including provincial bodies of Chartered Professional Accountants across Canada.
He has written over 20 books including: Canadian Treasury Management, Canadian Risk Management, and Financial Instruments: A Guide for Financial Managers (all published by Thomson-Reuters/Carswell), as well as Finance and Accounting PolicyPro and Information Technology PolicyPro (guides to governance, procedures, and internal control), and Cash Management Toolkit for Small and Medium Businesses (all published by Chartered Professional Accountants of Canada [CPA Canada]).
Latest posts by Jeffrey Sherman, MBA, FCPA, FCA (see all)
- How does IT recovery planning differ from business continuity planning? - August 4, 2015
- How to manage bank accounts: the basics - July 6, 2015
- Refresher on financial statistics and metrics - April 6, 2015