With the Covid-19 pandemic changing the workplace, possibly permanently, the uptake of cloud-based solutions has increased with the demand.
Lawyers from Bryan Cave Leighton Paisner have some interesting thoughts on this shift. Here Marcus Pearl, Partner and Global co-Sector Lead for Technology who has 20 years’ experience in the corporate technology field; Louis Wihl, Senior Associate who advises both customers and suppliers in IT, technology, outsourcing and commercial services transactions; and Anna Blest, Knowledge Development Lawyer for the Technology and Commercial Group who specialises in commercial contracts, information technology, intellectual property and outsourcing; share their thoughts on the impact of Covid-19 on Cloud uptake.
The traditional workplace is spinning on its axis and home-working has moved from a trend to an established fact of life. In response, the steady jog by businesses towards using cloud-based software and infrastructure has become a sprint, with COVID-19 driving demand for easily accessed solutions which meet the needs of a newly remote workforce. As well as user demand, difficulties managing data centres during the pandemic have also led some organisations to accelerate their migrations to the cloud, in response to reduced headcount, problems accessing data centre facilities and delays in hardware supply chains.
Research from Flexera shows that expenditure on cloud technology grew 50% in 2020, with investment in Software-as-a-Service, Platform-as-a-Service and Infrastructure-as-a-Service (as well as networking technologies) the leading expenditures. However, research also shows that organisations are over budget for their cloud spend by an average of 23%, while 30% of cloud spend is being wasted.
Given the size of investments, are cloud technologies demonstrating bang for their buck? Lower up-front costs and reduced hardware management expenditure are attractive propositions but come with the risk of relying on third parties. This is particularly sensitive for organisations in highly regulated industries like financial services. Notwithstanding this, the UK financial services sector, and the FCA and PRA, have long been supportive of cloud solutions, recognising that they offer flexible capacity, scalability, cost efficiencies and the promise of the protection of a large tech company’s sophisticated cybersecurity measures. But what are these promises actually worth to those choosing to invest? And how can the associated risks be mitigated?
Data (Security and Portability)
Managing migration to new technologies is challenging at the best of times, and made harder when workforces are operating remotely. We have seen substantial fines issued in the US for data breaches occurring on the migration of significant IT operations to the public cloud. Regulators have been critical of both risk assessment processes and the role of internal auditors in identifying control weaknesses in the cloud-operating environment. Customers also need to consider how they intend to migrate away at the end of the contract.
The private cloud can offer more bespoke mechanisms to manage business continuity, but most organisations operate a hybrid public/private cloud model. This offers some cost advantages but comes with the attendant risk of increased data security concerns in a multi-tenanted cloud environment.
Regulation of the Cloud
Now the EU transition period has ended and regulatory change is taking place, authorised firms need to manage their risk exposure by ensuring they are complying with the current regulatory requirements relating to use of cloud services. Different types of firms are subject to different requirements, with overlapping SYSC, Solvency II, EBA and EIOPA provisions as well as FCA and PRA guidance to consider. These include obligations to report certain types of arrangement, document decision making and ensure mandatory terms are incorporated into the contract.
Many sophisticated cloud suppliers will be able to provide contracts or addenda which purport to satisfy the mandated contractual requirements specific to their customer base, but these should always be carefully reviewed to ensure they are up to date and fully satisfy the requirements for your organisation.
Whilst many cloud providers are seeing a boost to their revenues during the pandemic, it is important not to assume that they will be immune from financial difficulties in the future. Regulators require businesses to demonstrate robust contingency planning and internal analysis should be carried out to ensure critical dependencies on single suppliers are minimised.
For Software-as-a-Service arrangements in particular, the consequences of supplier insolvency can be significant. The customised nature of software-specific data fields and data storage used by the applications can make it hard to find an alternative provider who can provide the necessary software functionality and/or interfaces, especially on short notice in the event of supplier distress. There may also be difficulties in extracting and migrating data to the new provider which well-drafted exit support terms can help to mitigate.
With both global economies and individual organisations facing significant headwinds due to COVID-19 challenges, technology teams are likely to continue to be under significant financial pressures whilst finding themselves ever more critical to the smooth running of their businesses. Cloud solutions are an important part of meeting this challenge, but attention needs to be paid to the contract terms to ensure that key risks are addressed. Customers often assume that the terms provided by large multi-national IT suppliers are non-negotiable, but key protections and risk mitigations can often be added.