Contract Management

 View Only
  • 1.  "Disaster Recovery/Business Continuity" clause

    Posted 11-03-2020 12:37 PM

    Hi all,

    I'm looking for recommendations on the components of a well-formed disaster recovery clause. I have a few examples, and from what I can tell the more complete ones have the following provisions/requirements:

    1. Maintain a plan and procedures which will ensure Vendor's ability to meet obligations under the contract in the event of a disaster.
    2. As part of that plan,
      1. maintain backup capabilities and facilities. (I've sometimes seen this in separate 'backup management' clauses.)
      2. notify Company within <time> of a disaster.
    3. Test the plan annually and provide Company with copy of test results upon request.

    Does the above look correct? Does anyone specify RPO and RTO in their DR clause?

    Joe



  • 2.  RE: "Disaster Recovery/Business Continuity" clause

    Posted 11-05-2020 12:05 PM

    Hi Joe,

    Here are the components that we would like to see written into the clause:

    • Description of vendor's responsibility for back-up and record protection.
    • Provision for maintenance of disaster recovery and business continuity plans.
    • Provision for vendor to test plans regularly and provide results to institution.
    • Provision for vendor to provide a copy of contingency plan that describes required operating procedure in event of business disruption.
    • Provision for timeframes that meet institutions requirements.
    • Financial Institutes responsibility to control Business Continuity risks.

     An example clause:

    Business Resumption & Contingency Plans:

    1. Vendor will maintain dual central processing units (CPUS) in its data center and provide off-premises secured storage of data and program files as required by applicable regulations and will have redundant sources of electrical power. Vendor's business continuity plan shall provide back-up and stand-in capabilities.
    2. Each party will establish & maintain disaster recovery procedures sufficient to establish all applicable regulatory requirements and requirements of independent auditors.
    3. Vendor shall test its BC/DR plan at least once annually and provide results to Financial Institute upon request.
    4. Vendor's disaster recovery policies and procedures will be made available upon request.
    5. In the event Vendor is unable to perform its obligations through no fault of its own Vendor shall promptly provide or arrange for payment processing services equivalent to its own processes, in at least 24 hours after service interruption. Vendor will immediately notify Financial Institute of any interruption to its business or unavailability of any site. In no more than 24 hours following interruption/unavailability, Vendor shall provide information regarding its implementation of Disaster Recovery / Business Continuity plans, effectiveness of the implementation and impact of the interruption or unavailability.
    6. Financial Institute is responsible for maintaining a functioning redundant computer system for its Primary Disaster Recovery Plan
    I would love to see others input on any additional language they include in the BC/DR clauses!


  • 3.  RE: "Disaster Recovery/Business Continuity" clause

    Posted 11-06-2020 02:45 PM

    Here's another version I found online which seems pretty good, as well:

    Business Continuity Plans. [PARTY A] shall maintain a business continuity plan for each [DELIVERABLE], describing measures [PARTY A] will implement to recover from a Disaster.

    Disaster Recovery Plans. [PARTY A] shall include in each business continuity plan a plan for the recovery of critical technology systems, and procedures for restoring business operations at the primary location or at a designated recovery site for those critical technology systems, if necessary.

    Backup Facility. [PARTY A] will maintain disaster recovery services at a dedicated facility which is equipped to handle data center processing in the event disaster recovery is needed.

    Testing. [PARTY A] will test its disaster recovery capabilities at least once per calendar year and provide the results of each such test to [PARTY B].

    Notification of Events. [PARTY A] will notify [PARTY B] within one (1) hour of an event occurring that will likely result in service interruption in excess of forty-eight (48) hours. Following such a communication, [PARTY A] will provide updates on an hourly basis as to whether or not a disaster will be declared.

    Offsite Storage. [PARTY A] will provide off-site storage for [PARTY B]'s data files so that they can be reconstructed in the event of loss or destruction of [PARTY B]'s processing files at [PARTY A]'s backup facility.

    Backup Facility Agreements and Security. Throughout the term of this Agreement, [PARTY A] shall maintain in effect contracts and/or arrangements which are substantially equivalent to those that are currently in effect. [PARTY A] shall ensure that all data processors shall comply with no less than the security and data protection standards in this agreement.




  • 4.  RE: "Disaster Recovery/Business Continuity" clause

    Posted 11-05-2020 04:09 PM
    Hi Joe,

    In addition to the great info from Heather's response, one thing we do additionally is that in regard to the annual test of their Business Continuity / Disaster Recovery Plan​, we ask to be able to participate in the test - at least to the limited extent that the test impacts our interaction with the vendor or impacts how we access the product or service provided by the vendor.

    For example, one vendor provides us a product that requires us to be able to access it via a secure connection to a cloud environment. If the vendor has to change the connection path to that cloud environment as part of their BC / DR test, we want to be able to participate with that part of the test to ensure we can still access the cloud environment through the new connection path if the vendor implements its BC / DR plan in real life. 

    - Ivan

    ------------------------------
    Ivan A. Martin
    Senior Contract Administrator
    Iowa Student Loan
    ------------------------------



  • 5.  RE: "Disaster Recovery/Business Continuity" clause

    Posted 11-06-2020 08:40 AM
    Nice addition. Thanks!