A survey report released by Baker McKenzie reveals it is critical to understand what parts of the cloud contract are negotiable and what is not, particularly in newer portions of the marketplace that have greater variance in solutions and contracting terms.
The longer an offering has been on the marketplace and the longer an application has been made available as an online service, the greater the convergence between the offering and contract, according to the companies surveyed.
“Our survey results indicate that there may be convergence in the more established parts of the cloud marketplace, such as Software-as-a-Service, but less so in others, such as Infrastructure-as-a-Service and integration with machine-to-machine/Internet of Things solutions,” said Peter R. George, a Partner in Baker McKenzie's TMT Group.
“As more cloud technologies come to the forefront and the laws applicable to them advance, it's the buyers and suppliers that can adapt to the evolving business realities of cloud arrangements who will seize the opportunities,” he added.
The survey report, now in its third year, highlights the top objectives, hesitations, and criteria that buyer respondents factored into their cloud procurement determinations. These factors are almost identical to the responses from cloud providers, potentially indicating further convergence in the marketplace.
Interestingly this year, 80% of buyers and providers, up from just under 50% last year, indicated that their contract stipulated a specific security standard to be complied with, rather than a general obligation to keep data secure. The majority mandated an ISO 27000 series standard, though other standards referenced included HIPAA, NIST 800 series, ITIL, PCI-DSS, FedRAMP and COBIT.
Another notable negotiation trend to emerge was that buyers and providers are remarkably close together in what limitation of liability levels they consider acceptable. The majority of both groups responded that the liability cap in their contract was a multiple of fees, with a range of 1-5 times annual fees for buyers, and 1-3 times for providers. In a minority of cases (10% less than last year), parties had negotiated for, or accepted, uncapped liability for data security breaches. Providers indicated that caps for data security breaches were typically a multiple of fees rather than a dollar amount, while for buyers there was a nearly even split between those two options.
The survey also asked respondents to identify the best way to structure contracts for solutions involving multiple cloud providers. 42% of respondents indicated buyers contracting with each provider as the best solution; 35% said a buyer contracting with a prime contractor was the preferred approach; and 23% suggested a hybrid approach with some buyer contracting.
Additional key findings from the report:
- About 60% of buyers indicated that their cloud offerings met their goals (last year, 70% of buyers responded positively).
- A majority of providers indicated they offer solutions that may be tailored for IoT integration.
- Our respondents indicated that where there was a mix of paper, the parties would typically pull certain buyer terms (e.g., security requirements) into provider’s paper.
- 80% of buyers/providers indicated that the agreement required provider to follow specific security standards.
- A majority of buyers indicated they included at least some prohibitions on where a provider may host their data.