Don’t bury your head in the Cloud: What you need to know about cloud-based technology procurement

Whilst there is a lot of noise around artificial intelligence and the ways in which it will transform how businesses work, the key focus of technology investment by businesses continues to be in the transition to cloud-based technologies and solutions.

There are many benefits to the cloud – including greater flexibility and cost efficiencies – but cloud-based arrangements are vastly different, in both nature and risk profile, from the more traditional forms of technology procurement that businesses are used to.

Our experience is that businesses (both customers and suppliers) do not fully understand these differences and how they impact the cloud projects they undertake.

In this article we highlight some of the key differences, and risks, that businesses should be aware of when undertaking cloud-based technology projects.

Data risk:

Under a traditional software licensing model, data processed by the software application remains under the control of the customer.

The same is not true for software provided on a cloud-based software-as-a-service (SaaS) basis. Under the SaaS model, data processed by the application will typically be hosted and stored by the software provider, meaning the data is no longer under the control of the customer. This creates a number of risks for the customer that are not present under a traditional licensing model, including data security, operational resilience and data compliance risks.

If the data being hosted by the software provider is the only, or main, instance of that data then the customer will need to think long and hard about the potential impact of data loss on its business and how to mitigate that risk.

If the data being processed, hosted and stored includes personal data then both the customer and supplier will need to ensure relevant data protection laws are being complied with, including laws around international data transfers where the data is hosted and stored in another jurisdiction.

Compliance risk:

Software provided on a SaaS basis can often lead to different regulatory compliance considerations.

SaaS solutions should generally be seen as outsourcing arrangements, which for many sectors can introduce additional compliance considerations. For example, in the financial services sector the rules around material outsourcing may well need to be taken into account, including how those rules impact a customer’s contract with the SaaS provider.

General and sector-specific rules around operational resilience and security may also impact, and apply to, SaaS solutions in different ways. For example, the new EU regulation around financial services operational resilience, known as DORA, will need to be considered where a service recipient or service provider falls within its scope.

Understanding the SaaS delivery model:

Under a traditional software licensing model, it is difficult for a software provider to be held accountable for the performance of the application in practice as the application sits under the customer’s control and on the customer’s IT infrastructure.

The same is not true of SaaS solutions, where typically the software provider is in control of the IT infrastructure, hosting and security arrangements and how the application is monitored, maintained, updated and fixed. This fundamental difference means that a customer’s focus under a SaaS delivery model should be outputs based, rather than process driven.

For example, the customer should not concern itself with how a software provider intends to support and maintain the application, with the focus instead being on key outputs: such as the supplier’s commitment to ensuring that the customer has access to the application during the times that the customer needs it and that the application works as intended.

Comment

The cloud is very much here to stay and has many benefits as a technology delivery model; but there does need to be a fundamental shift in how both customers and software providers view the procurement of cloud-based solutions to better align with how this new delivery model works.

Customers should recognise the different risk factors in play, whilst focusing on key outputs. Software providers also have a role to play in acknowledging their different roles and responsibilities when moving from a traditional software licensing model to a cloud-based SaaS delivery model and tailoring their contracts accordingly.

For help with technology and outsourcing, please contact Clyde’s dedicated technology, data and outsourcing team.