Businesses can address outages risks in supplier contracts, says expert

IT outsourcing contracts expert Tim Roughton of Pinsent Masons, the law firm behind Out-Law.com, said that as consumers increasingly expect to be able to access services 24/7 there is a pressure on companies to ensure their systems are sufficiently resilient to handle round-the-clock demand.

Roughton was commenting after Scandinavian bank Nordea experienced technical problems with some of its systems that caused disruption to customers last week.

A spokesperson for Nordea Finland told Out-Law.com that the disruption was caused by "a technical error" in its systems and affected an unknown number of customers in Finland. The customers affected could neither "see their account transactions nor the correct balance" when using the bank's online or mobile banking systems, they said.

The spokesperson said the fault had to be addressed "phase by phase" and accepted that it took "unreasonably long" for it to fix the error.

"We have identified the root cause and actions have started to prevent this from happening in the future," the spokesperson said.

Roughton said: "Outages can stem from a lack of investment in IT infrastructure, and there have been examples in recent times where creaking legacy systems have been unable to stand up to increasing customer demands. However, companies that take action to improve the robustness of their systems and integrate new digital technologies with older existing IT infrastructure also face a risk of outages. Increased complexity in the IT environment can lead to faults, as the recent report into the Bank of England's real-time gross settlement payment system outage highlighted."

"The way businesses manage supplier relationships and contracts can be a major factor in reducing the risk of outages. Companies should look to set robust service levels in contracts with suppliers and back them up with weighty service credits or other contractual remedies which ensure suppliers are suitably incentivised to prevent outages and/or restore functionality speedily when they happen," Roughton said.

Regulated firms can face regulatory penalties when outages cause harm to consumers. Roughton said those companies should look to reduce their exposure to the risk of regulatory penalties and other costs that relate to outages stemming from faults with supplier technology.

"Indemnities or similar contractual provisions can be written into agreements with suppliers to ensure that regulated firms are able to pass on the cost of fines imposed, or customer compensation ordered, by regulators in the event of an outage," Roughton said. "Shifting more of the cost risks onto suppliers can have the effect of encouraging suppliers to improve the measures they take to deliver 'uptime'."

Roughton stressed the need for regular open dialogue between businesses and their IT suppliers to ensure there is sufficient oversight of projects, that change is managed properly and potential faults are resolved before they manifest into problems with customer-facing systems.

The expert said that businesses must also have a strategy in place in the event that an outage occurs.

"This means investing in disaster recovery and business continuity plans which enable customer services to continue to be delivered through back-up systems when technical glitches bring down primary systems," Roughton said. "It also means setting a customer communications plan so that in the event of an outage the business knows how to handle incoming queries about service availability, or otherwise spread important messages relating to the incident to customers."

Roughton said that some businesses may have to report major outages to regulators under the EU's proposed new Network and Information Security Directive in future.

"Whether outages could be considered sufficiently significant to qualify as cyber security incidents requiring notification to regulators under the Directive will depend largely on what type of incidents are defined as reportable under the Directive and what criteria is set for triggering the notification requirement," Roughton said.

"Criteria could include how many people are affected by an outage, how long 'downtime' lasts for, and which specific systems are affected. For example, whilst it might be appropriate for system glitches that prevent customers making transactions at all to be reported, the same duty might not be appropriate if an outage affects only one payment service operated by a bank, such as their mobile payment application."