30 April 2020
Introduction
The COVID-19, and the various restrictions that have been implemented in response to it, are causing extraordinary business disruptions. Many organizations have had to modify their operational controls and accommodate a shift to remote working (among other adjustments).
One key impact of COVID-19 involves an organization's relationships with its IT service providers, which often play important roles in securing their data and systems. Under current conditions, some service providers may face challenges in performing this work, especially for engagements that require significant personnel resources or that require personnel to be on-site. Potential non-performance has significant consequences for service providers and their clients alike.
A couple examples highlight this issue:
A service provider might be contracted to provide cybersecurity monitoring services for a company. Due to the impact of COVID-19, however, the service provider might not have sufficient personnel available to provide these services at the contracted level or frequency. That could mean reduced monitoring and thus potentially slower responses to cyber events.
A company that uses a service provider's co-location space to house its servers may rely on the on-site security provided by the service provider to protect information maintained on the servers. But because of COVID-19, the service provider may have to scale back its onsite security controls, which could impact the company's regulatory compliance and litigation exposure.
To prepare for these challenges, entities that have contracts with service providers (and service providers themselves) should carefully review their existing agreements and any force majeuretype provisions in particular. Although force majeure provisions in existing contracts may not specifically contemplate a global pandemic such as COVID-19, these provisions are often broadlyworded and based on events beyond a party's control and may excuse non-performance under the contract or allocate risks and costs differently when such an event occurs.
Here's our COVID-19 service provider risk mitigation checklist:
Step 1: Determine whether contractual commitments remain in full force
Check the contract's governing law, as some jurisdictions recognize common law doctrines like impossibility that may excuse non-performance without written force majeure provisions.
Determine whether there is a force majeure clause and, if so, whether COVID-19 is arguably covered.
Understand what happens if one of the parties invokes a force majeure provision and who bears what risk.
Review and follow contractual notice and response requirements for force majeure events and document all evidence that would support your claim.
Step 2: Understand your risk
Evaluate the risks to your business of service provider non-performance due to COVID-19.
In particular, review legal and regulatory obligations that may be impacted by service provider non-performance.
Contact to your service providers to determine what challenges they are facing in light of COVID-19.
Assess the likelihood of service provider non-performance and invocation of force majeure provisions.
Step 3: Mitigate risk
Communicate with your service providers to identify and evaluate the potential scope of non-performance.
Develop a strategy to fill in any performance gaps.
Work with service providers to identify and implement potential alternatives for example, if a service provider is unable to meet certain security requirements, require that service provider to adopt specific compensating controls and/or cybersecurity hygiene practices, such as utilizing VPNs and using secure WiFi/router configurations and document the new arrangement. When a service provider is unable to handle even modified procedures, consider all options, including the development of controls and processes in-house.
Review your disaster recovery plan and resources
Hogan Lovells can help you respond to these challenges and evaluate risk. Get in touch with one of us or send a note to COVID19@hoganlovells.com. And if you would like additional information on topics related to COVID-19, please click here to access our webpage.
