Last summer’s floods in Queensland were a natural disaster on a scale rarely seen before in Australia. This time last year, few of us would have thought that the central business district of an Australian capital city could be effectively shut down by floodwaters. Yet that is exactly what happened.
Offices in central Brisbane were abandoned and power turned off, effectively bringing business there to a halt. The extent of the damage caused by the Queensland floods was truly shocking. Planning for such a is a confronting task, but it is something that every business must do if it wishes to remain viable during a disaster event. One critical aspect to consider is IT, as almost every business will need functioning IT systems in order to continue operating. This article identifies some issues that a customer should consider in order to ensure that its outsourced IT services remain available during a disaster.
Disaster recovery planning
The first priority for a customer should be to ensure that all of its key IT suppliers are subject to appropriate disaster recovery obligations. The customer’s contract with each such supplier should include provisions requiring that the supplier:
- develop a disaster recovery plan that will enable the supplier to continue providing necessary services in a disaster scenario and then implement that plan if such a scenario arises. The plan should identify all critical services, set out the process for reinstating each such service in the event of a disaster and include target times for achieving reinstatement. The plan should also set out appropriate data back-up procedures (including by specifying how often back-ups will be made and where they will be stored) and identify an alternative service location from which the services can be provided in the event the primary service location is badly affected by the disaster. When approving a back up location, customers should be mindful of privacy requirements and, in particular, data export restrictions;
- provide the customer with a copy of its disaster recovery plan or, at the very least, the essential elements of it. In particular, the customer should know what the supplier’s communication protocols will be in the event that the plan is put into effect (e.g. how the customer will be notified that the plan has been triggered, who the customer’s designated contact person will be, how the supplier will provide updates on the progress of recovery activities etc); and
- test its disaster recovery plan on a regular basis. The customer should be entitled to participate in the testing process and review test results and, of course, the supplier should be required to revise and update the disaster recovery plan based on those results.
It is sensible to include a disaster recovery provisions in every supplier contract. However, in some cases, they will be mandatory under relevant regulatory requirements. For example, the Australian Prudential Regulatory Authority’s standard on outsourcing requires that authorised deposit-taking institutions include business continuity provisions in all of their outsourcing contracts. In addition, the standard provides that APRA may require the ADI to arrange for an external audit of the risk management processes that are in place in relation to the outsourcing, including any disaster recovery arrangements. Customers who are subject to the APRA standard or any similar regulation must ensure that their disaster recovery arrangements satisfy all relevant regulatory requirements.
Interaction with force majeure provisions
Apart from including specific disaster recovery provisions, the customer will also need to carefully consider other parts of their IT service contracts that may be enlivened in the event of a disaster. In particular, the customer should consider how the disaster recovery provisions interact with any force majeure provisions in the contract, which may relieve the supplier of some of its performance obligations in the event of a disaster, such as a flood or other serious weather event.
From the customer’s perspective, it is important that force majeure provisions are appropriately restrained, so that they do not excuse a failure by the supplier to take appropriate mitigating action in the event of a disaster. In particular, the force majeure provisions should:
- not excuse any failure by the supplier to comply with its specific disaster recovery obligations (including by implementing the disaster recovery plan, which should be expressly designed to apply in the event of a disaster); and
- only excuse any other non-performance by the supplier to the extent that the non-performance is actually caused by the disaster event (and not some other cause within the supplier’s control) and could not have been avoided even by properly implementing the supplier’s disaster recovery plan.
Disaster recovery and cloud-based services
Disaster recovery issues require special consideration when dealing with cloud-based services (i.e. services that are provided using equipment owned and controlled by the service provider, rather than the customer, and are accessed by the customer through a remote data connection).
Where a disaster specifically affects the customer’s business location, it may be to the customer’s advantage for services to be cloud-based. This is because the customer can effectively access the same services from any location that has a suitable data connection. Accordingly, assuming that the service provider is in a different location to the customer and has not been affected by the same disaster, the customer may be able to simply move to an alternative location and resume using the same services with no loss of data or functionality.
However, cloud-based services will still be vulnerable in the event of a disaster that affects the location from which the supplier provides those services (e.g. the data warehouse where the supplier is storing data for the customer). As such, before choosing a cloud-based solution, it is critical for the supplier carry out appropriate due diligence to satisfy itself that the supplier has suitable disaster recovery arrangements in place. The customer may want rights to inspect relevant service locations in order to complete this due diligence and satisfy itself that appropriate precautions are being taken.
If the supplier is using common infrastructure to provide services to a range of different customers, the supplier may not necessarily have a great deal of flexibility to agree to customised disaster recovery arrangements. In this case, while the customer may have to be satisfied with the supplier’s standard arrangements, it should at least obtain some assurance that the supplier will not give other customers preferential treatment in the event of a disaster. In other words, the customer may want an undertaking from the supplier that, in the event of a disaster, the supplier will not prioritise the reinstatement of other services or reallocate resources in a way that disadvantages the customer.
In all cases, a great deal of planning and forethought is required in order to effectively deal with a disaster event. Although the possibility of a disaster occurring may seem remote, there will be no second chances if the worst does happen and it will be those who are best prepared that will suffer the least.