Help! I've been hacked | Your service provider goes down. What now? | Who do I need to notify, what are my legal obligations? | How can we help improve your cybersecurity? |
Downtime: how to react and mitigate consequences for your business?
Modern society relies extensively on (digital) service providers for every-day life. Businesses engage service providers to support them in delivering goods and services to their customers. Cloud services such as Software as a Service (SaaS), Infrastructure as a Service (IaaS) and Platforms as a Service (PaaS) have become indispensable for organisations while conducting business.
If any of your service providers, on which you rely heavily, experiences an outage, the consequences will inevitably be felt within your organisation, requiring you to act swiftly, decisively and correctly.
Such response should entail the following elements, helping you to get ahead in case of an emergency.
When your organisation is faced with downtime of a service it relies on, the first reaction should be to consult the internal procedures that are in place for such situations.
Concretely, the following procedures should be in place and should be adhered to:
When downtime occurs, there should be a procedure for determining the seriousness of such a fallout and the risks it triggers. It should be clear who within the organisation to contact and which steps, such as minimisation of the risks and mitigation of the consequences, should be taken.
Your organisation should have a procedure in place to prevent threats to the business continuity when downtime strikes and to safeguard the continuity by defining how the organisation can remain operating, how it can recover and which measures should be taken to minimize the damage.
A specific element of the business continuity plan is the disaster recovery plan, that focuses on the recovery of the organisation’s IT systems within the shortest delays. The plan can specify the maximum amount of data the organisation can lose in order to be able to resume normal operations and the maximum duration of the downtime after which the IT systems have to be recovered in order to avoid irreversible consequences.
A second point of action in case of downtime is to check the Service Level Agreements (SLA) between you and your service provider. These SLAs will typically specify a uptime percentage, a percentage of the total time (within a certain timeframe) for which the service provider commits that its services will be available to you.
In the event of errors and/or downtime going beyond the error margin that the service provider has envisaged in the SLA, the SLA may grant you service credits or other compensation in accordance with the amount of downtime suffered.
Your SLA will typically also state what sort of support your service provider will offer in case of incidents and will contain valuable information on who to contact, how to contact them and within which timeframe you can expect an answer and resolution of the incident. You would also want to know the timeframes within which your service provider is required to notify you of any incidents or issues the service provider detects.
Since the provision of services to your customers can be seriously impeded when there is a fallout at your service provider, and customers might claim compensation from you, it is very important to know your rights in relation to your service provider.
Furthermore, and coming back to the previous point on the disruption of your own services, you should have an overview of your obligations towards customers. When downtime occurs, it will prove essential to be able to determine at a glance which of your services will be affected by the downtime and which obligations, such as service levels, towards specific customers are at risk of not being fulfilled. Once identified, the affected customers can be informed.
Another valuable action to take is pro-actively revising the liability clauses in the contracts and terms and conditions you use. To the extent permitted by law, the liability for failure to fulfill contractual obligations, that results from downtime of a service provided to you by a third party, can be limited or excluded.
If you need any support in implementing the above measures, please contact us.
Do you need immediate assistance? Call our cybersecurity hotline.
This article is part 2 of our cybersecurity series: