In our blog, 5 Benefits of a Bird’s Eye View of Legal Risk for SMEs, we recognised that legal risk is just one aspect of the whole risk picture and often overlaps with other risk categories within a business’s risk management strategy. However, it is a very useful and beneficial starting point to analyse the risk impact of the bespoke product/ service mix on a business.
We have recognised in our blog Are we digital? And why does it matter? there is a level of difficulty with terminology, which makes it difficult for businesses to fully identify and understand where they might fit in with any regulatory regime or understand what potential developments (e.g. at the policy level) might impact on them in the future. In this blog, where we refer to a cloud provider, we refer to a provider of cloud connectivity, networks, or security solutions at any level of the supply chain.
The importance of the bespoke product/ service mix of a cloud provider
The precise legal risk profile of a cloud provider will vary according to the bespoke nature of its industry/ product/ service mix, clients, supply chain and strategic intent. For most cloud providers, the “mix” at its most basic level will involve a supply of software, hardware and services. However, the finer details will refine the bespoke risk profile and inform the details of the tools to manage those risks.
Whilst some cloud providers may niche in reselling third-party software, adding value through its services, others may act simply as brokers. More commonly, many cloud providers provide a range of services such as connectivity, networks, etc, often as part of a service wrap such as a managed service, a business transformation project or otherwise.
Key legal risk categories for cloud providers using the bespoke product/ service mix as the linchpin
As an in-house lawyer for any cloud provider, I would look at the following three categories to develop a bird’s eye view of the legal risk profile, which would inform, in particular, contractual content as well as other operational mitigations and tools.
1.Compliance Risk
Data protection is probably the most well known of all compliance requirements, but it is not the only one. Identifying the laws and regulations and any regulatory bodies that apply to the business is critical as this shapes, internal processes, registrations, and contractual content. For most cloud providers, the main exposure to personal data under a client contract is probably through hosting or support and maintenance services. This usually means complying as a data processor, not a data controller (however, all businesses are data controllers in terms of employee personal data, for example). Closely related to data protection but less well known are the Network Information Systems Regulations, which place security-related obligations on certain cloud computing service providers (see The Network Information Systems Regulations and providers of access to cloud resources). For those businesses that provide telecommunications solutions such as mobile connectivity, Ofcom regulations and guidance will also apply, particularly the General Conditions of Entitlement.
It is possible that the product/ service mix of a cloud provider could capture all of these aspects of compliance.
2.Asset Risk
A dive into asset risk has on more than one occasion helped clients shape licensing strategy, client contract content, negotiation strategies and procurement processes. Whether it’s perfecting the intellectual property audit trail or looking at other critical aspects of the supply chain, it’s a very worthwhile analysis as it will ultimately impact on overall company value and straighten out some of those lingering thoughts (which prospective buyers may raise as part of the due diligence process during the business sale process). Reselling is a very common aspect of many cloud provider models but understanding where and how that fits into the value of the service provided and managing the risks of licences and identifying substitutes as part of a business continuity/ marketing strategy will help solidify the value built by a company in reliance on these supply chain aspects.
3.Project/ Client Risk
This will largely be dictated by the nature of what is being provided and how. For example, the delivery of third-party click-wrap security software products on a one-off basis will elicit a different risk profile to an outsourcing project with a set-up phase, which might also involve the sale of those click-wrap software products.
“Reselling”, as mentioned above, is another widely used phrase, but in relation to which it is legally necessary to lift the lid on. What is actually happening within the “reseller” relationship will dictate amongst other things, contractual provisions. For example where the services/products that are ultimately still provided by a third party, but that third party is a sub-contractor rather than having a direct contractual relationship with the end user will change the risk profile. It is possible (and common) that a cloud provider who is a reseller is a contractual conduit who will have a contractual relationship with the end user client but will also have an obligation as a reseller of the third party, amongst other things, to pass on end user licence terms, and underwrite non-payment by the end-user client. It really does just depend on what is happening.
Common contractual provisions include the following:
Contractual provisions to manage change control/ scope creep for projects.
Deemed acceptance provisions so there is clarity on when projects finish and which usually triggers support and maintenance and/or milestone payments.
Statements regarding availability as part of the mesh of other protections for the cloud provider.
Project-specific risks identified (for example, by setting out certain client dependencies which the cloud provider is relying on to deliver a project), on which, amongst other things, pricing assumptions may be based.
This is not the place to state a detailed list of contractual content (that is another blog for another day), but suffice it to say, contracts are a major part of the risk mitigation toolkit (see Contracts: a part of the risk management strategy) in respect of asset risk and project/ client risk (and to a lesser extent in relation to compliance risk). Contracts are not and should not be just “documents”. They are along with other risk management controls a living, breathing part of the business’ operations and strategy.
In short, a legal analysis of the business could be way more helpful than you might think.
Connect with Tracey at tracey@law-point.co.uk or call 01202 729444.
© The Contract Shop t/a Lawpoint
Information correct as at 11 January 2024