Sourcing Speak

EU Cybersecurity Regulations – The Costs of Financial Market Infrastructure Resiliency

Posted January 20, 2015

Any company that uses information technology is a potential target for data theft, advanced malware and other cyber threats. Cyber threats have emerged as a growing systemic risk particularly to the financial sector in which Financial Market Infrastructures (“FMIs”) are increasingly under attack from a wide range of players, at greater frequency and growing levels of sophistication. Regulators, standards bodies and other authorities around the world are giving a high priority to cybersecurity for these reasons. This post summarizes what regulators are doing in the Europe to address these threats and describes some of the actions companies everywhere can take to minimize their exposure.

What are EU regulators proposing to improve FMI cybersecurity?

The European Commission has initiated a push to “protect open internet and online freedom and opportunity” by 2020. This initiative includes combatting cyber-attacks against information systems, establishing an EU cybercrime centre and coordinating Emergency Response teams, cyber-attack simulations and national alerts among all EU Member States. These efforts are also intended to align with the international fight against cybercrime. The next five years will see an increase in costs as FMIs and regulators pay to rapidly update single FMIs and solidify an EU-wide cybersecurity structure.

Global App Enforcement Sweep – Lessons For Developers

Posted November 7, 2014

By Steven Farmer

Steven Farmer

A recent survey of over 1,200 of the top mobile apps in 19 countries by the Global Privacy Enforcement Network (“GPEN”) has found that 85% of the apps reviewed were non-compliant, failing to provide even the most basic privacy information to users.

In addition, 43% failed in their obligation to tailor privacy notices to smaller screens and almost 30% unlawfully requested excessive personal data from users.

Concerns for users are compounded given the lightning speed at which new apps are hitting the market. Last year, for example, in excess of 1 million apps were reported to be available via Apple’s iOS App Store.

Should developers care about these findings?

In short, yes, especially given that the UK privacy regulator, the Information Commissioner’s Office (“ICO”), has recently conducted research that demonstrates that around half of app users have decided against downloading an app due to privacy concerns at some point in time.

Risk for developers does not stop there either.

You’ve been fired!

Posted October 27, 2014

By Pillsbury's Global Sourcing Team

Pillsbury's Global Sourcing Team

It isn’t often that a supplier “fires” its customer, but it’s not unknown. I have worked with two clients recently whose suppliers have given notice of termination without cause.

How can you avoid or, if it does happen, manage through a supplier-initiated termination?

Obviously, the best position from a customer’s perspective is not to give your supplier a contractual right to terminate, except if there is an uncured material breach. However, in many negotiations in which I have been involved over recent years, suppliers are demanding a right to terminate for convenience, or a right to give notice of non-renewal at the end of an initial term, or a subsequent renewal term (which pretty much amounts to a termination for convenience).

The “Subjective” SLA – Key Stakeholder Satisfaction

Posted October 13, 2014

By Jeffrey D. Hutchings

Jeffrey D. Hutchings

Quantitative measures of supplier performance in the form of service levels are critical in any outsourcing relationship. However, they provide an incomplete picture of how well the supplier is performing and meeting the client’s business and IT objectives. A common complaint is that the service levels are green each month, but the client is dissatisfied with the supplier’s performance – typically due to the supplier failing in areas that are difficult to measure quantitatively.

To fill this gap, we recommend to our clients that a quarterly “key stakeholder satisfaction survey” be included in the outsourcing contract as a service level. This service level is a subjective determination by the client of its level of satisfaction with the supplier’s performance. A meaningful service level credit applies if the supplier fails to achieve an acceptable rating.

FCA issues considerations on the procurement of off the shelf technology solutions (United Kingdom)

Posted September 12, 2014

By Pillsbury's Global Sourcing Team

Pillsbury's Global Sourcing Team

In July, the Financial Conduct Authority (FCA – the financial regulatory body in the United Kingdom) issued a paper titled “Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions” (the Considerations). The Considerations contain about five pages of checklist “Areas of interest” and related notes, which are stated to be things a firm subject to regulation by the FCA should consider when procuring ‘off the shelf’ technology solutions.

When do the Considerations apply?
We view the application of the Considerations as two-fold. First, they supplement the existing IT-related banking regulations. Second, they are intended to apply to procurements where firms might not ordinarily consider applying FCA-originating guidelines.

BYOD: No Such Thing as a Free Lunch

Posted September 4, 2014

By Joshua B. Konvisser

Joshua B. Konvisser

It seems intuitive that, by and large, employees prefer to use their own mobile devices, carrying only a single device for personal and work purposes, and having choice over the device to be used (please don’t take away my iPhone). There has also been a hypothesis that there could be cost savings for companies that allow employees to BYOD because of the ability to defer the cost of the devices and service to the employee.

In fact, maintenance of a BYOD program (we have previously reported on legal issues surrounding Bring Your Own Device and the importance of BYOD policies), including the need to manage across non-standard devices and platforms, may actually result in a BYOD program being more costly than having a standard corporate-liable program. Add to those costs a recent California ruling that requires companies to reimburse employees for wireless service. Although the case raised more questions than it answered about what level of reimbursement is required, it seems clear that companies will bear a larger portion of the cost of BYOD programs than they had previously borne.

FCA warns firms on use of social media to promote financial products

Posted August 7, 2014

By Pillsbury's Global Sourcing Team

Pillsbury's Global Sourcing Team

The UK financial services regulator, the Financial Conduct Authority (FCA), has launched a guidance consultation in order to clarify and confirm its approach to the supervision of financial promotions in social media, including the use of character-limited forms (Examples of character-limited formats are Twitter (which limits tweets to 120 characters) and Vine (which limits videos to six-second loops).

The FCA has identified an increase in the use of character-limited social media (and social media generally) and warned of confusion among firms over the inclusion of regulatory information such as risk warnings (in compliance with the financial promotion rules) when communicating through social sites such as Twitter, Pinterest and Vine. And, as the FCA makes clear, every communication (e.g. each tweet, Facebook page or insertion) must be considered individually and comply with the relevant rules.

The EU’s Right to be Forgotten: Overly Burdensome?

Posted August 4, 2014

By Brooke L. Daniels

Brooke L. Daniels

In May earlier this year, the European Union’s top court held in favor of an individual who requested that Google remove the search results associated with his name. In this particular case, a Spanish citizen requested that Google Spain remove an auction notice of his repossessed home from its search results, as the proceedings had been resolved for a number of years. The court held that individuals have the right to require search engines to remove personal information about them if the information is “inaccurate, inadequate, irrelevant or excessive.” This precedent established the “right to be forgotten,” which gives Europeans the right to require search engines to remove information about them from search results for their own names. The ruling has not been met with universal applause, and in fact a U.K. House of Lords subcommittee recently declared the right to be forgotten misguided in principle and unworkable in practice.

UK telecoms regulator issues call for input on Internet of Things

Posted July 30, 2014

By Pillsbury's Global Sourcing Team

Pillsbury's Global Sourcing Team

Ofcom has published a call for input, entitled “Promoting investment and innovation in the Internet of Things“, regarding issues that might affect the development of the emerging Internet of Things (IoT) sector in the United Kingdom. Ofcom is the UK’s independent regulator and competition authority for the UK communications industry. It regulates the TV and radio sectors, fixed line telecoms, mobile devices, postal services, plus the airwaves over which wireless devices operate. It operates under a number of Acts of Parliament, in particular the Communications Act 2003.

IoT (which is also referred to as Cloud of Things or CoT) describes the interconnection of multiple machine to machine (M2M) applications and covers a variety of protocols, domains and applications (see J. Höller, V. Tsiatsis, C. Mulligan, S. Kamouskos, S. Avesand, D. Boyle: From Machine-to-Machine to the Internet of Things: Introduction to a New Age of Intelligence. Elsevier, 2014). These technologies and methodologies underpin smart applications and embedded devices that enable the exchange of data across multiple industry sectors, such as heart monitoring implants, factory automation sensors, industrial robotics applications, automotive sensors and biochip transponders. A 2013 report by Gartner suggested that by 2020 there will be nearly 26 billion connected IoT devices.

EU adopts new regulation on cross-border electronic identification and e-signatures

Posted July 25, 2014

By Pillsbury's Global Sourcing Team

Pillsbury's Global Sourcing Team

The General Affairs Council, on 23 July 2013, adopted a regulation of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the Internal Market. Until the new regulation, the E-Signatures Directive (1999/93/EC) provided the only EU rules relating to e-signatures and said nothing about trust services. The E-Signatures Directive is to be repealed with effect from July 2016 when, with some exceptions, the new regulation will start to apply.

The new regulation sets out rules for cross-border electronic trust services (electronic identification schemes) within the EU (the new rules will only cover cross-border aspects of electronic identification; issuing means of electronic identification remains a national prerogative. The general position at English law remains unchanged – sophisticated electronic signatures are not necessary for the formation of a binding contract) and creates a legal framework for:

electronic signatures,
seals and time stamps,
electronic documents,
electronic registered delivery services, and
certificate services for website authentication.

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this: