Check if data outsourced is accessible?

In the rapidly evolving world of finance, ensuring unfettered access to data is crucial for maintaining operational resilience. This is a requirement that extends beyond borders, with regulatory bodies in the UAE, UK, and Europe all emphasising its importance in outsourcing and technology contracts.

Firstly, the UAE Central Bank mandates that banks and insurers must guarantee uninterrupted access to all data for the duration of an outsourcing agreement, even upon termination. Similarly, UK banks, insurers, and other financial entities regulated by the PRA must include provisions regarding data accessibility and availability in the event of service provider insolvency, resolution, or discontinuation of business operations. European financial entities subject to the Digital Operational Resilience Act (DORA) follow suit, requiring such provisions in contracts for ICT services.

The criticality of data access is demonstrated in various scenarios. For instance, Scenario A illustrates the mitigation of temporary disruption caused by unplanned system downtime through quick activation of a business continuity plan and support from the service provider. On the other hand, Scenario B highlights the impact of repeated emergency maintenance leading to a planned exit, where the inability to access data without substantial additional cost affected the organization's profit. Scenario C illustrates the consequences of a service provider's insolvency, forcing an unplanned exit and potential operational disruption.

To address these challenges, several models have been proposed. The "access" model grants access to the latest version of the code, environment, and data but may not be suitable in a multi-tenanted environment. The "replicate" model provides access to a mirrored instance of the cloud-based software but requires regular updating. Cloud escrow models, meanwhile, offer access to data in case of a release event.

However, traditional source code escrow is not suitable for cloud-based platforms or SaaS. Instead, cloud escrow can be a useful mechanism to support data access in stressed exits or planned exits where data is difficult to obtain from the service provider. Escrow arrangements can also be used to ensure data access in case of service provider insolvency or other issues.

Business process outsourcing agreements should contain detailed exit planning provisions for data migration. This includes provisions for data extraction, conversion, and transfer, as well as contingency arrangements for accessing data to continue providing the services if the third-party platform is unavailable. Service providers should deliver data in an accessible format without requiring additional technology licenses or purchases.

In conclusion, effective business continuity and exit planning are key components in ensuring access to data held by service providers. It is advisable for businesses to contract directly with the third-party platform provider to ensure ongoing access if there are problems with the service provider. By adhering to these guidelines, businesses can maintain operational resilience and mitigate risks associated with data access in outsourcing and technology contracts.