The Lexpert Special Editions profiles selected Lexpert-ranked lawyers whose focus is in Corporate, Infrastructure, Energy and Litigation law and relevant practices. It also includes feature articles on legal aspects of Canadian business issues.
Issue link: https://digital.carswellmedia.com/i/1470136
6 www.lexpert.ca Feature "The new rules come from OSFI wanting to understand issues that are potentially impacting the industry and taking steps to proactively prevent incidents and improve the resiliency of those systems" Nathan Schiessel MLT AIKINS "Reportable incidents can't just be about cyber breaches. They must also be about major outages, or system problems that impact customers – things that affect the stability and integrity of our financial institutions" Joel Ramsey TORYS LLP system aspects and then build in the service packages to reflect different situations. One good thing about the Canadian regulatory environment, Ramsey says, is that it encourages a "risked-based approach to assessing and implementing guidelines" that accommodates different service levels. Ahmad adds that many third-party vendors have multiple service-level packages ranging from basic to deluxe. "As a respon- sible organization purchasing these services, you must know your needs and negotiate the contract accordingly." e bottom line, says Schiessel, is that contracts are no longer simply about a busi- ness arrangement and whether the agreement is legally binding. "I think that for a long time, these contracts with third-party vendors were looked at through a business operations lens. However, now it is also about meeting regulatory compliance standards. It will require a bit of a shi in thinking for both customers and service providers when they're working on their contracts." Customers must do their due diligence about what they need from a provider, says Schiessel. However, it is also essential that service providers develop a clear and trans- parent process for helping the customer meet its regulatory requirements. Beatrice Bozinovski, corporate legal counsel at Healthcare of Ontario Pension Plan (HOOP), who also looks aer gover- nance issues, says that third-party technology customers need in-house counsel to be aware of regulatory changes such as the ones in the OSFI advisory. An in-house counsel like her needs to ask "the right questions" and work with outside counsel, such as Blakes, to ensure the highest possible compliance standards are reflected in service contracts and include the necessary protections. She adds that when they ask vendors about tight turnaround timelines, vendors will some- time say, "Well, we can't operationalize that." But tighter rules, as cited in the OSFI advisory, "really change the game" in negotiating these provisions into contracts. Tremblay at Blakes also suggests that advi- sories on regulatory compliance could also provide a chance for dealing with potential new vendors. "It provides a good starting point for asking, 'What about this?' or 'How does your soware handle this situation?' and making some determination on whether we want to trust this vendor with very sensi- tive information." He adds firms might also want to engage outside counsel with expertise in these types of contracts because "we do it every day, and we've seen contracts go wrong, and what