The challenges of the enterprise in the cloud
August 2018 | SPECIAL REPORT: TECHNOLOGY IN BUSINESS: STRATEGY, COMPLIANCE & RISK
Financier Worldwide Magazine
August 2018 Issue
From one perspective, cloud services are not new. Though it has become fashionable to term something as being provided on a ‘X as a service’ basis, the concept of what used be known as ‘application service provision’ and the wider scope of remotely hosted services has been around since the 1990s. However, increasing telecom capabilities and the increased sophistication of cloud-based offerings have resulted in increasing take up of cloud-based services. Initially, much of this take up was at what might have been termed the ‘commodity’ layer; that is, in relation to lower risk, lower value functions which would not have a disastrous impact upon the customer entity, were the services to encounter issues. However, as the cost and flexibility advantages of cloud-based solutions become ever more apparent, we have seen organisations begin to push ever-more substantial and business critical elements of their functions and operations into the cloud, and increasingly into both public and private clouds. In doing so, however, they may face some interesting legal and contractual challenges.
From one point of view, the provisions regarding the use of software products that go up to make a pure software as a service (SaaS) solution may not have changed that much. The major software players have long had strong bargaining positions when it comes to the use of their software products. Accordingly, their base licence terms, in relation to on-premise licence grants, would ordinarily be relatively restricted when it came to matters such as scope of warranties and related remedies, liability limits and the like. However, in moving to a cloud-based solution, as opposed to a traditional licensing arrangement, such providers are also now taking on a wider scope of service-style obligations, associated with the provision and support of the associated infrastructure on which their software products will sit. This opens providers up to a new set of contract requirements which they would not ordinarily have had to grapple with, such as IT security, business continuity and disaster recovery, data protection and the like.
The challenge, in this regard, is exacerbated by the fact that the larger customer organisations (at least) will ordinarily have their own sets of expectations as to what kinds of contract terms would apply to such services. Some of the more sophisticated SaaS solutions in particular may appear to be more like outsourcing in another guise, and so the customers may expect to see the kinds of contract provisions which would ordinarily be included in an outsourcing agreement, including, for example, more substantial service level regimes (with real ‘teeth’ in the event that they are not met, in the form of meaningful service credit provisions, linked also to termination rights in the event of serious or persistent non-performance), wider scoping of service obligations to include those ‘reasonably’ or ‘necessarily’ implied as part of the relevant functions, lengthier lists of warranties and indemnities, and prescribed processes that a supplier must follow in order to itself get relief from its own obligations (often known as ‘relief event’ or ‘excused performance’ clauses).
While some of these provisions may be simply matters of commercial negotiation between the parties (and therefore influenced by the degree of bargaining leverage that each party has), there are a number which can create challenges from a practical perspective, particularly in the context of a public cloud offering. Some of these can be found below.
For a business critical function, a customer would ordinarily want to have a right of audit in order to satisfy itself, on a proactive basis, that things are working as they should. While this works fine when the supplier in question is providing its services from a dedicated site and so may still be do-able in the case of a private cloud offering, it becomes challenging in the context of a public cloud solution, where the supplier in question will likely be utilising the same infrastructure and facilities to service multiple clients, and so will be concerned as to the possibility of service interruption or breaches of confidentiality that may arise, were a party to undertake an audit and thereby impact upon service provision to the supplier’s other customers.
Changes to the services
Customers are used to the position whereby they acquire a software product or service on the basis of an agreed service description or specification, which does not then change without their consent. However, in the SaaS world, the supplier will ordinarily want to maintain a common code base across all of its customers, and will want to reserve the right to make changes if it believes this is necessary to enable it to maintain overall market competitiveness. Although such changes should generally be to add additional functionality, there is always the possibility that the developments will go in directions that an individual customer does not agree with or is not in its interests. Suppliers may then be willing to grant the customer a right to terminate, but that is something of a phantom remedy for the customer, if it would then be put to the potentially not insignificant cost of having to migrate to a new cloud platform (and undertake a whole set of fresh integration efforts with the rest of its technology estate).
Compliance with policies
Larger customer entities in particular will have become used to imposing obligations upon suppliers to comply with their policies, particularly in relation to matters such as IT security. However, cloud providers will ordinarily push back on such requirements, given the fact that their various clients will potentially have very different and even potentially conflicting requirements. The onus, therefore, switches to the customer and its internal teams to make practical assessments as to the delta between its own policies and what the cloud supplier offers to its customer base at large.
When utilising business critical outsourced services, the market norm has become for suppliers to have very limited termination rights, often limited solely to non-payment of material amounts of undisputed fees. However, the expectations of the major cloud providers are diametrically opposed to this, with their contract terms usually providing for the supplier to have extensive termination and suspension rights, often linked to even non-material breaches of acceptable use policies which they impose upon their customers’ use of their cloud services. These kinds of disjuncts in expectations may have been easier for customers to live with, in the context of the early days of cloud services, for example when the functions being entrusted to the cloud service providers were less substantial in terms of value, and less critical to the overall operations of the customer entity. However, we are seeing a dramatic increase in the range and size of cloud-based offerings, with deal values at times extending into the hundreds of millions and covering services which most definitely are business critical. In those circumstances, the ability of the customer entity to ‘take a view’ on the risks associated with the kinds of contract terms on offer from the cloud suppliers is far more restricted, especially in more heavily regulated sectors, such as financial services, where regulators such as the Financial Conduct Authority (FCA), the European Banking Authority (EBA) and Monetary Authority of Singapore have been very specific as to the kinds of contract clauses that they expect their regulated entities to be including in their cloud related contract terms. We are, therefore, in an interesting time in terms of market dynamics, when we can expect past expectations and standards regarding ‘normal’ contract positions to be regularly challenged and to develop quickly. It may be fair to say that for larger scale cloud services in particular, there has rarely been a time when contract positions have been more in flux than they are now. Interesting times, then, for the lawyers and negotiators dealing with them.
Kit Burden is a partner at DLA Piper. He can be contacted on +44 (0)20 7796 6075 or by email: firstname.lastname@example.org.
© Financier Worldwide