Best practices to reduce risk in cloud contracts
IT procurement or sourcing managers challenged with finding sourcing options that reduce costs at tolerable risks should examine nine contractual terms to reduce risk in cloud contracts, according to Gartner.
The cloud delivery model is gaining popularity, but it includes risks that are often unclear or overlooked when assessing the appropriateness of the sourcing model.
“Cloud solutions often appear to have lower initial and switching costs than traditional solutions, but include hidden costs and risks, and require unique terms for contract protection, compared to traditional arrangements,” said Alexa Bona, research vice president at Gartner. “Many cloud providers appear reluctant to negotiate contracts, as the premise of their core model is a highly leveraged approach. The starting point contractually often favors the vendor, resulting in a potential misalignment with user requirements.”
When assessing cloud offerings’ procurement and sourcing, executives need to understand what can be negotiated relative to risk elements, what they need to pressure cloud providers to offer, and what will likely not be negotiated.
The nine key terms to understand in cloud deals to mitigate excessive risk include:
Uptime guarantees. Despite the significant business-criticality of certain cloud applications, Gartner analysts have seen numerous contracts that have no uptime or performance-service-level guarantees at all, or that are only provided as a changeable URL link. Cloud contract negotiators must be aware of the performance service levels required and ensure that they are documented contractually, ideally with penalties, if the performance standards are not achieved.
Service-level agreement penalties. For service-level agreements (SLAs) to be used to steer the behavior of a cloud service provider, they need to be accompanied by financial penalties. If downtime or performance service levels are not met, negotiate penalties and escalation clauses. Rather than credits, money back is preferable, in terms of your negotiating leverage and pressure on the provider, because no vendor likes to have to give money back, once booked.
Watch out for SLA penalty exclusions. More cloud providers realize that they need to add guarantees and quality measures for the services they sell in the cloud. To manage their risks, cloud providers usually put rigid penalty exclusion criteria into their contracts. Organizations should look carefully at exclusions to the right to penalties. For example, they should ensure that any downtime calculation starts exactly when the downtime commences.
Security. As part of the cloud-sourcing strategy, procurement and security executives should ensure that the provider’s security practices are at the same level as, or exceed, their own security practices, especially if the company falls under industry or national privacy-related regulations. Gartner recommends negotiating SLAs for security, especially for security breaches. The analysts suggest immediate notification of any security or privacy breach as soon as the provider is aware of it.
Business continuity and disaster recovery. Cloud contracts rarely contain any provisions about disaster recovery or provide financially backed recovery time objectives. Some infrastructure as a service (IaaS) providers don’t even take responsibility for backing up customer data. If organizations are prepared to back up their data within the enterprise, or some other cloud service, and have the ability to use that data within an application, then they need to confirm that their provider has a suitable API or other mechanism to accommodate the organization taking responsibility for disaster recovery.
Data privacy conditions. If the cloud provider is complying with privacy regulations for personal data on behalf of the organization, the client needs to be explicit about what they are doing and understand any gaps. Contracts should unequivocally state that the cloud provider will not share personal data with anybody else (this becomes more complicated if they have to share data with a third party — e.g., a cloud infrastructure provider — which is common for many software as a service [SaaS] solutions) and that they will only do what the customer (the data controller) says they should do.
Suspension of service. Some cloud contracts state that if payment is more than 30 days overdue (including any disputed payments), the service can be suspended by the provider. This gives the cloud provider considerable negotiation leverage in the event of any dispute over payment. Organizations should negotiate an agreement that payments in any current legitimate dispute should not lead to a suspension of service. Some providers are removing disputed payments from this clause.
Termination. A number of cloud contracts allow the provider to terminate the agreement with 30 days of a written notice, or at least within 30 days of renewal. Users should negotiate for at least six-months notice for the provider to terminate, unless they have materially breached the contract.
Liability. Most cloud contracts restrict any liability apart from infringement claims relating to intellectual property to a maximum of the value of the fees over the past 12 months. Organizations should try to negotiate for higher liability protections. Leverage the fact that these providers would have liability insurance to achieve higher caps, and be prepared to walk away if this issue is not resolved.