European Union: Central Bank Of Cyber? ECB Releases First New Framework On Testing Cyber-Resilience And Combatting Digital Financial Crime

Last Updated: 20 July 2018
Article by Michael Huertas, Katja Michel and Markus Schrader

Quick Take – ECB leads way on cyber resilience

High-profile cyber-attacks with unprecedented sophistication and depth of impact have put cyber-resilience at the heart of supervisory priorities but also financial stability. The ECB-led single framework for testing cyber-resilience applies to a breadth of firms and will impact processes as well as policies.

This new voluntary framework aims to improve the capabilities of supervised firms and supervisors in dealing with cyber-threats from real-life actors and their impact on firms in general but equally respective firm-specific "critical functions" and the impact on the wider market. Yet all of this comes at a cost. In-scope firms, may need to take preparatory steps, including securing appropriate service providers as these will have to be assessed against specific standards and will have to be certified as being able to conduct a TIBER-EU test.

Introducing TIBER-EU

"Crossing the Rubicon" has become a term used to describe a fundamental change of affairs. Whilst the European Central Bank (ECB) has not cast the die descended into mainland Italy as Caesar's forces did when they marched on Rome in 49 BC, the ECB, which has, like a good acronym, crossed another Italian and Roman river with its May 2, 20181 publication of a framework for "Threat Intelligence-based Ethical Red Teaming" (TIBER-EU).2 "Red-teaming" takes its name from military antecedents and refers to the process of testing vulnerabilities along with the readiness and resilience of a test subject and the capabilities and effectiveness of its response force i.e., the Blue Team. Red Team actions are unknown and masked to the Blue Team and only a select group, i.e. the White Team, have access to details of the test and the "flags" i.e., objectives that the Red Team is to "capture."

This publication marks the ECB's first real foray into the depths of defining best practice in cyber-resilience.3 Importantly, the ECB is acting in its central bank and financial market infrastructure/financial stability capacity in advancing this priority at what is a watershed moment. This matters as, even if TIBER-EU follows in spirit of the efforts of the ECB acting in the lead of the Single Supervisory Mechanism (SSM) within the Eurozone's Banking Union, it goes much further than the SSM's supervisory priorities in this space to date. It also describes itself as the roadmap for how this framework "...will be applied across the EU." and not just the Banking Union.

The TIBER-EU framework, adoption of which by authorities and jurisdictions is voluntary, thus is very much being "offered-up" to the market and various supervisory stakeholders. Whilst the ECB's spearheading of the TIBER-EU framework is welcome in its efforts, a number of parallels to the voluntary submission to ancient Rome, and its benefits, may be apt. The Annex to the Framework sets out which requirements are mandatory (most are) and which are optional.

This Client Alert assesses TIBER-EU's approach, the expectations it requires market participants to meet, how these compare to other ECB activities in this area and some next steps that firms will want to consider in light of its changes as well as those supervisory priorities of the SSM. The requirements set in TIBER-EU apply to the entirety of the EU even if in practice it will be targeted to the Eurozone. There are a number of concurrent stakeholders that are also influencing the EU/Eurozone framework of what cyber-resilience and best practice means and what compliance with expectations ought to ideally look like. Consequently, firms are nevertheless reminded that these Eurozone-level driven measures are supplemented by specific EU-wide measures, including the FinTech Action Plan, and best practice expectations set by the European Supervisory Authorities (EBA, ESMA, EIOPA) as well as national level authorities in a number of key Member States.4 Some of those stakeholders and their own rules/expectations may have already implemented large parts on the CPMI-IOSCO Guidance on Cyber-Resilience for Financial Market Infrastructures which was "operationalized" by the ECB in the Cyber Resilience Oversight Expectations (CROE). TIBER-EU goes much further than that.

We also anticipate that the TIBER-EU framework will have an important interplay in the on-going supervision of key financial market infrastructure providers, given the framework's overriding emphasis on "critical functions" – which firms will want to delineate with a view to the official definition used by the framework: "... the people, processes and technologies required by the entity to deliver a core service which, if disrupted, could have a detrimental impact on financial stability, the entity's safety and soundness, the entity's customer base or the entity's market conduct." 

We furthermore consider that this new framework will increasingly be used to police threats and resilience levels to those entities that the ECB-SSM has, within the Banking Union defined as FinTech Credit Institutions and subjugated to additional licensing requirements – please see our standalone coverage on this available here.5 In more general terms, and as a pressing to do for affected financial services firms' governance as well as IT functions, we anticipate that the trend of having at least one board member nominated as having ownership and expertise on cyber-resilience matters is likely to grow as global and EU-level initiatives all flag this theme.  This is in addition to regulatory requirements impacting various firms, notably financial market infrastructure providers to maintain a dedicated "Chief Information Security Officer" (CISO). It remains to be seen whether TIBER-EU will undertake its own "crisis communication exercise," codenamed "TITUS"6 as done by the ECB in November 2015 and a report dated July 2016 in the lead up to the creation of CROE.

The extent of TIBER-EU's coverage

The core aim of TIBER-EU is to provide a common framework for a controlled environment in which red-teaming can test the resilience of entities using the tactics, techniques and procedures (the TTP as TIBER-EU calls it) employed by actual threats. In summary, TIBER-EU aims to create a cyber-arena where the simulated effects of "barbarians at the gate" can test how an onslaught affects a relevant firm's resilience in overall terms, as well as those of its critical functions but equally the performance of its underlying systems. This also aims to allow firms to also evaluate how its people, processes and technology are able to protect, detect and respond to threats and attack.

Whilst TIBER-EU, nor other (current) analogous measures being advanced by other EU supervisory policymakers, may not be as integrated as a well formed legion, TIBER-EU's core objectives are "jurisdiction agnostic" and embrace flexibility, not least due to the concept of the Implementation Guides. That helps in making them adaptable to jurisdictions but also in facilitating cross-jurisdictional intelligence-led testing and cooperation, allowing flexibility for users (both market participants and stakeholders) and embedding and endorsing the use of equivalence decisions so that one supervisor can rely on the assessment of another and thus foster mutual recognition and sharing of results. These approaches cement TIBER-EU's value proposition for supervisors and may also yield benefits for certain market participants. TIBER-EU's 58 pages are addressed to stakeholders and policymakers shaping supervisory responses to improve cyber-resilience inasmuch as market participants that may be in-scope of "TIBER-EU testing".

As with a range of other ECB rulemaking, whether as central bank or in the SSM, TIBER-EU is designed to be "guidance," adopted on a voluntary basis and from a variety of perspectives by supervisory authorities, whether as a tool for oversight and/or supervision or a catalyst for improvement.  This soft law approach has a number of benefits, not least politically in getting support from ECB-internal stakeholders but also those authorities in the Eurosystem in terms of how these new measures impact existing mandates of EU and national level authorities.

In addition to the observations of how these centrally set supervisory expectations qua rules (and leaving aside the point that they come from the central bank as opposed to the supervisory corner of the ECB), TIBER-EU offers a common toolkit but invites relevant authorities to exercise discretion as to which type of entities might be selected and when they are requested to submit to TIBER-EU testing. It is conceivable that some of those invitations may be more forceful than others.

Who is in-scope?

TIBER-EU tests also apply to a much a wider range of financial market participants that the ECB is interested in rather than just those that are supervised by it in the SSM on a direct (ca. 120 entities representing 80 percent plus of Eurozone AUM) or indirect (ca. 6,000+ legal entities) basis. Paragraph 2.1 of the TIBER-EU framework states that "entities" include:

  • Payment systems
  • Central securities depositories
  • Central counterparty clearing houses
  • Trade repositories
  • Credit rating agencies
  • "Stock exchanges" – NB the non-MiFID II use of the terminology
  • "Securities settlement platforms" – NB the non- MIFID II use of the terminology
  • "Banks" – NB note the non-CRD IV/CRR use of the terminology
  • Insurance companies
  • Asset management companies - thus both AIFMs and UCITS ManCos
  • "any other service providers deemed critical for the functioning of the financial sector"

Consequently, the scope of coverage is quite vast, and that makes sense given the framework and also separately mandates of linked forums, including that of the Euro Cyber Resilience Board for pan-European Financial Infrastructures (ECRB).

TIBER-EU tests

Testing of relevant firms is conducted by one or more relevant authorities. In respect of cross-border firms, TIBER-EU's core objectives of cross-jurisdictional cooperation means, similar to how supervisory colleges already operate, that such test are contemplated as being conducted either:

  1. on a cross-authority collaborative testing basis "directed" by one of the relevant authorities (similar to home – host state passporting, and/or
  2. on a basis of a test "managed" by one of the relevant authorities (preferably the "lead" authority)

The above options are both designed to be mutually recognized and "...to provide assurance to relevant authorities in other jurisdictions, provided the core requirements of the TIBER-EU Framework have been met."

Crucially, the TIBER-EU framework is unequivocally clear that it will only recognise a TIBER-EU test if:

  • It is conducted by independent third-party providers (external threat intelligence (TI) and red team providers (RT); and
  • It involves all stakeholders i.e., the "testing entity, which is responsible for managing the end-to-end test and ensuring that all risk management are in place to facilitate a controlled test", the TI and RT providers who conduct the test, the authorities that oversee the test and "...ensure they are conducted in the right spirit and in accordance with the TIBER-EU Framework." – NB it is not fully clear from the initial drafting whether the "testing entity" was meant to mean the test subject or a different entity.

The rationale for requiring independence of external providers is that they:

"...provide a fresh and independent perspective, which may not always be feasible with internal teams that have grown accustomed to the internal systems, people and processes. Furthermore, external providers may have more resources and up-to-date skills to deploy, which would represent additional benefits for the entity."

Whilst this may be sensible and conceptually follows how external audits operate, it introduces additional costs for firms. It also will introduce a need for a number of firms, irrespective of them having been formally invited/ordered to participate in a test, to take preparatory measures. This is important as firms will want to be in the driving seat on costs, quality, standards and response time of RT but also TI providers if they are required to participate in a test. As the TIBER-EU framework also introduces reference to a forthcoming "TIBER-EU Services Procurement Guidelines"7 in-scope firms will want to ensure they have sufficient ability to procure providers and are able to ensure that these meet the standards set by the ECB, which also require that "...the providers are accredited and certified by a recognised body as being able to conduct a TIBER-EU test." The new framework does acknowledge that sufficient due diligence by the test subject of TI/RT providers will be an appropriate stop gap ahead of TI/RT accreditation and certification processes becoming more common place in specific and/or across EU jurisdictions. Whilst the framework makes no explicit mention of it, there are a number of implied references that a test subject should contract with EU-based operations of TI/RT providers.

Three phases, no pass or fail but TTI Reports and remediation plans

The TIBER-EU framework does not operate on the basis of pass or fail but rather is supposed to provide insight into strengths and weaknesses in resilience. It is conceivable that test results however, even if formally submitted to the ECB in its central bank capacity, may flow into the supervisory dialogue with ECB-SSM supervised firms.

The TIBER-EU framework is built on a "mandatory three phase process for an end-to-end test." This is comprised of:

  1. preparation phases and formal test launch – including engagement, scoping and procurement activity of Tis and RT providers as well as the setting up and approval of test parameters by the test subject's board (or presumably a similar governance function) as well as subsequent validation by the oversight/supervisory authority
  2. testing phase: which includes TI and RT probing, the delivery of a formal "Targeted Threat Intelligence Report" (the TTI Report) detailing the test subject's vulnerabilities, attack scenarios etc. and which will form the basis of the RT provider carrying out intelligence-led read teaming of "...specific critical live production systems, people and processes that underpin the entity's critical functions." In short, the TTI Report lays the roadmap to going to for the jugular and testing resilience against a range of "break the business scenarios". A realistic definition of various processes relevant to and important for the breadth of the test subject's critical functions will play an important part as part of this exercise
  3. "closure" phase: which includes compiling a "Red Team Test Report" detailing what was tested, how along with finding and observations as well as roads for improvement and remediation. The Red Team Test Report is expected to be acted upon in "...close consultation with the supervisor and/or overseer".  A separate "Blue Team Report" as well as a joint team, i.e., "Purple Team Replay Workshop" plus 360-degree feedback, which aims to assist in working through the steps for improvement in, as the framework puts it: ... "a "learning and evolving" principle that underlies the TIBER-EU framework."

Red, white, blue – how I test you

What is important to recall is that these testing phases are designed to be conducted on the premise of confidentiality as well as ethical hacking. This means that the RT performs its testing without the knowledge of the test subject's security or response capability (i.e. the Blue Team) and only a select circle of persons from the test subject (i.e. the White Team) will be permitted to know about the test.

Whilst this makes sense in ensuring a non-biased testing environment, compliance and governance functions will, in particular since the latter has a validation role in the steps above, be required to be collated on a list of those that "are in the know". That list will have to be kept in a secure yet sufficiently manageable fashion, reflective of global locations of personnel and stakeholders and may need to be disclosed, as part of evidencing strength of testing itself, to competent supervisors.  This is especially important as the relevant supervisor, and their respective "TIBER Cyber Team" (TCT), are able to invalidate the tests if there are concerns on how it is conducted in line with the spirit of the framework.

It is conceivable that the ECB and respective relevant authorities, will, possibly in the ECRB format, need to develop similar documented principles of who concretely does what and when in respective of firms to be tested and the test results as supervisory colleges do in the EU both in and outside of the Banking Union's operations.

Interplay of TIBER-EU with other workstreams

TIBER-EU builds upon the mandate of the ECB (as central bank)-sponsored Euro Cyber Resilience Board for Financial Infrastructures (ECRB)8 that is responsible for the January 2018 Cyber Resilience Oversight Expectations (CROE)9 which TIBER-EU supplements. The ECRB operates on the basis of voluntary membership and aims, in relation to cyber-resilience, to identify strategic issues, work priorities, common positions, directions and statements, as well as responding to requests for advice from national and EU authorities, including Europol and separately the somewhat controversial European Union Agency for Network & Information Security (ENISA) that is responsible for wider cyber-security.

Moreover, the ECB will maintain a TIBER-EU Knowledge Centre (TKC), which is also responsible for keeping track which jurisdictions adopt TIBER-EU and also as a central gatekeeper of the framework and as interlocutor with the ECRB. The ECB-hosted TKC aims to coordinate collaboration among national and European TCTs.

It is not clear how this will translate into new or repurposed resources at national and EU level authorities but it marks a definitive and decisive tone especially as the ECB sets TIBER-EU as a central hub around which accompanying national (TIBER-XX) or other EU-wide (TIBER-EU-YY) "Implementation Guides" are intended to be built allowing flexibility but steered by a strong lead from the centralized TCT at the TKC but also in each jurisdiction adopting the framework.

Outlook and next steps

In terms of approach and institutional set-up much of what the TIBER-EU framework, even if being advanced by the ECB as a central bank, mirrors the existing pillars of the Banking Union – strong central technical and supervisory lead at the ECB level coupled with national level expertise.  It will be interesting to see which national authorities are quick to embrace TIBER-EU and which are more hesitant.

The notion of the ECB-hosted TCK, which as a hub that coordinates multiple colleges of TCTs is also unsurprising but may translate into increased need for firms to be clear as to what is documented where and what is disclosable to whom. Equally, whilst the jurisdiction agnostic and flexible framework permits flexible adoption of the framework, which in the current version allows for relevant authorities to mandate "voluntary" testing and/or mandatory testing, may mean that firms have more disclosure channels to manage.

More importantly, the TIBER-EU framework currently, even if it does very much cater for cross-jurisdictional approaches, does not contain definitive rules that deal with disagreements where stakeholders disagree on whether a critical function is in fact critical. In simple terms this translates into a number of firms, in addition to adopting their own TIBER-EU policy, which may be disclosed to competent authorities, to also consider whether to set up appropriate internal training and links to RT and TI providers rather than having regulators impose conditions upon them.  

In summary, TIBER-EU in its first version, is a defining contribution to improved cyber-resilience but one where a number of core elements remain to be worked out and will need to be published. Those that are caught by these new expectations, whether as supervised financial services providers or TI/RT providers will want to ensure they are able to be "test-ready" and in control of post-test and other on-going obligations. As this framework is being rolled out centrally from the ECB and supplemented by national authorities, affected entities will need to liaise with a vast array of supervisory as well as internal stakeholders to steer their compliance but also take control of their overall cyber-resilience priorities.

Footnotes

1. The TIBER-EU publication was also accompanied by a video on the ECB's YouTube channel describing what it terms "ethical hacking", which is available here: https://www.youtube.com/watch?v=9vLxlr0ExnM&feature=youtu.be.

2. See: https://www.ecb.europa.eu/pub/pdf/other/ecb.tiber_eu_framework.en.pdf

3. Even if it builds upon efforts of several national central banks – notably the Netherlands and its TIBER-NL framework – see: https://www.dnb.nl/binaries/TIBER-NL%20Guide%20Second%20Test%20Round%20final_tcm46-365448.pdf

4. Notably Germany, see our coverage on this available here: https://www.dentons.com/en/insights/alerts/2018/july/3/bafins-supervisory-requirements-for-it-in-financial-institutions

5. See our coverage from our Eurozone Hub available here: https://www.dentons.com/en/issues-and-opportunities/eurozone-hub/-/media/73a225386d0d4c1f91bf3ea003077b11.ashx

6. Note the ongoing Roman Empire theme here....

7. Which is expected possibly as early as August 2018. 

8. See: https://www.ecb.europa.eu/press/key/date/2018/html/ecb.sp180309_1/ecb.sp180309_1_ECRB_mandate.pdf

9. See: https://www.ecb.europa.eu/paym/pdf/cons/cyberresilience/cyber_resilience_
oversight_expectations_for_FMIs.pdf

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions