by Drew Patty, McGlinchey
Even before the current pandemic, businesses large and small were increasingly relying on outsourced software application hosting, also known as “cloud computing,” or “software as a service” (SaaS), to improve efficiency and profitability. Some businesses also outsource computing infrastructure under “Infrastructure as a Service “(IaaS) agreements and outsource software development/deployment/management needs in “Platform as a Service” (PaaS) agreements. For our purposes, all of these arrangements will be referred to here as “SaaS agreements.” Remote work arrangements made necessary by the ensuing lock downs associated with the pandemic response have substantially heightened businesses’ reliance on the services provided under SaaS agreements. In addition to addressing their own vulnerabilities introduced by remote work and reliance on hosted applications and similar vendor services under SaaS agreements, business lenders and board members must be aware of, and should evaluate, the extent to which their institutions and borrower customers rely on these services, to understand the full scope of operational, compliance and loan default risk presented.
Borrower dependency on third party hosted application services for mission-critical operations raises a number of unique issues for evaluation in terms of both underwriting and loan portfolio monitoring, in order to make informed credit decisions and mitigate new risks that can arise after a loan is funded. While the issues become even more intriguing when the borrower is itself a IaaS, PaaS or SaaS vendor, this article will focus on the evaluation and management of risks undertaken by conventional borrowers who rely in some manner on these outsourced services for operationally significant software or data processing in order to generate revenues and fund loan repayment.
Credit Analysis – Operational and Regulatory Risks from Heavy SaaS Reliance
When a borrower relies on a service vendor to host and license mission-critical software or store and process operationally important data off-premises for access over the Internet, attention to the right details in pre- and post-closing loan due diligence will help evaluate both operational and privacy risks to the borrower, and can bring into focus an often overlooked repayment risk to the bank. This requires the lender to ask the right questions, to create in the borrower an obligation to disclose the outsourced services on which the borrower relies, and to uncover terms and conditions of critical SaaS agreements governing those services to understand whether the borrower and its lender are adequately protected.
Once an inventory of the borrower’s important SaaS agreements is compiled, the licensed products involved, the function they serve and their level of importance to the borrower’s operational integrity should be considered. Some key questions include:
What contingencies are built into the SaaS agreement, if the borrower loses access to the SaaS platform or service, or data stored therein, for an indefinite period of time?
Who owns and has access to the data stored in the platform?
How is data backed up and periodically stored?
What are the borrower’s rights to access its data in the event of early termination or a dispute with the vendor?
Is the vendor taking responsibility for security of data while stored in their systems, notification in the event of a data leak or breach, and mitigation of any resulting damage?
Does the borrower have any ongoing auditing rights to verify compliance?
What happens in the event of bankruptcy by either the borrower or the SaaS vendor?
Is there any need for a SaaS escrow to provide a backup version of the SaaS platform in the event the vendor is no longer operating?
Depending on the application’s importance to the borrower’s operations, SaaS agreements should have some or all of these issues addressed in a way that can permit the borrower to re-establish operational data integrity, data access and use of the applications or data processing services without unsustainable disruption of operations in the event of a major service outage for any reason.
The regulatory framework in which the borrower operates also should be taken into account when reviewing critical SaaS agreements, to understand the borrower’s compliance burdens which may impact the way the SaaS services are performed, and ensure that the SaaS vendor will cooperate with the borrower in meeting its regulatory obligations that exist or may arise in the future. Depending upon the nature of the consumer data under their control, new privacy regulations like the European Union’s General Data Privacy Regulation (GDPR) and the California Consumer Privacy Act (CCPA) may apply to certain borrowers and their data processors, even if located far away from the regulating jurisdiction. Borrowers who receive, store, process or distribute any consumer personal data, whether under terms of SaaS agreements or not, deserve special attention due to heightened regulatory requirements being placed upon how such personal data is managed. Some SaaS agreements fail to require the vendor to provide ongoing cooperation in assuring systems meet the same standards that would otherwise apply to the borrower, if the borrower hosted the applications internally, and to provide the borrower with a mechanism for getting out of the agreement if the vendor fails or is unable to do so.
If a critical SaaS agreement fails to reasonably allocate responsibilities for data privacy compliance and data breach notification, indemnification rights in the event of data breach, impact management in the event of computer viruses or ransomware, cyber insurance coverage and the like, a data incident involving consumer data could spell real regulatory and financial trouble for the borrower’s business.
Portfolio Management – Borrower SaaS Dependency Arising During the Life of the Loan
The foregoing risks do not go away at closing, of course. Borrowers can enter into new SaaS agreements with vendors any time in the future, potentially re-configuring the business’s operational posture and risk profile. They can also modify their business models and workflows to increase the volume of consumer personal data they must control or process, increasing regulatory compliance risks. Some examples of questions to consider that may impact loan portfolio monitoring and loan covenants relating to post-closing obligations include:
At what point during the life of a loan, if any, does the lender need to have notice of modifications to a borrower’s new or modified SaaS agreements that impact operational posture regarding critical business data processing, store and retrieval?
What notification, if any, does the lender need from the borrower, in the event of a data breach suffered by a borrower’s critical SaaS vendor?
If a technology escrow is triggered by a borrower under a critical SaaS agreement, should the lender be notified?
Should the lender get notice if a fine or penalty is levied against a borrower or its critical SaaS vendors by a regulatory body under an applicable data privacy or cybersecurity regulation over the life of the loan?
The questions posed above are not exhaustive but are intended to trigger lender consideration of the various downstream implications of a borrower’s heavy reliance on third party vendors for hosting and operating important business processes and processing of consumer personal data. Through awareness of these implications, bank leaders can take them into account when evaluating business value and loan risk, developing loan terms and conditions, and performing portfolio management.
Drew Patty is a partner in McGlinchey’s Baton Rouge office. He chairs the firm’s Intellectual Property practice and co-chairs the firm’s cybersecurity and data privacy practice. He handles transactional IP matters and related litigation and represents clients from a wide variety of industries, including financial services.