New year, new contracts – tips and tricks for ICT contracting in 2021
In light of 2020’s unexpected changes and challenges, we are delighted to provide you with a summary of important ICT contracting tips and tricks to incorporate into your armoury of tools for 2021 and beyond.
Do contracts cover pandemic risks?
Caroline Atkins, Partner
How many of you had to review a force majeure clause last year to see if it covered pandemic risks? How many of you found they either did not or at least were unclear on the topic? We expect you will have to specifically deal with pandemic risks in your future contracts. Pandemics may affect many aspects of contracts, including availability of personnel resources, manufacture of components, and transportation of supplies. We think pandemic risk clauses need to be more specific than standard force majeure clauses. In our experience, government agencies and businesses should look for solutions for pandemic risks that do not result in any automatic protections for suppliers e.g. automatic delay. Here’s what you could do:
- Determine whether your contract could be affected by a pandemic risk, and if so how (pretty much every contract is at risk, because all contracts involve some element of labour or transportation supply). Consider the consequences if that risk arose and cover that risk specifically.
- Include a process for managing that risk (e.g. an obligation to report on anticipated risks (not just when they occur)), and an obligation to advise of implications and options for mitigation.
- Include clear choices for the customer that can be exercised by notice (e.g. a change to a supply chain component), or if that is not possible, a process for the parties to negotiate an outcome with protection for the customer if this is not achieved, such as early termination with any cost consequences pre-agreed.
- Build risk management into the performance framework. You can measure compliance with risk notification obligations, and if your expectations are clear, you can measure the quality and effort of risk mitigation activities.
Has the focus on security changed?
Gavan Mackenzie, Partner
Did you experience trouble negotiating strong contractual security clauses last year? We certainly did. Currently most vendors won't accept a simple clause obliging them to comply with any Commonwealth or corporate policy or direction a customer gives them. So, what can you do? Well quite simply, you need to be more pragmatic about drafting and negotiating this important aspect of your contract. Here are some suggestions:
- Be specific in drafting your security requirements, for facilities, for personnel, for access to your ICT systems and for the security functionality you expect in the ICT products and services you are procuring.
- Don’t forget about security for working from home arrangements, and for digital communications tools.
- Identify the ways in which you could stay informed of emerging security risks and build in specific reporting obligations – if you are informed in advance of an emerging security risk, you have a much greater chance of avoiding it (e.g. by moving data).
- Consider how these risks could be mitigated if they arise, and build in mechanisms for doing this (e.g. obligations for the vendor to ensure its data backups are available to you, rights to require immediate personnel substitution, powers to direct the vendor about what you need them to do (particularly relevant to managed services contracts)).
- Motivate compliance with these obligations by including them in your performance measurement framework, your payment regime and your governance arrangements.
With cloud service usage increasing, what should I be thinking about?
Belinda Chapman, Associate
"Everyone loves the cloud!" is what we are hearing. But for your contracts, you should consider the following:
Certainty of usage rights and costs
Cloud services are not licensed like software. Customers usually buy a subscription for a specific term (e.g. 12 months) and pay for usage of the service (based on a metric associated with volume of usage (e.g. transaction volume)). You need to understand the metrics and ensure they are clearly stated. Include protections against hidden metrics and other unknown charges, and ensure you calculate correctly your possible costs, including to ensure the pricing covers metrics the customer needs, and pricing is pre-agreed for any required flexibility, up or down, in usage (and then manage them!).
Certainty of terms
Cloud Service Provider (CSP) cloud terms often link to other third-party terms (e.g. referenced and linked terms such as support terms). Make sure you check and understand these terms, and that they do not unacceptably reduce the responsibility of the CSP. Insist on risk mitigations, such as additional layers of support.
Access to customer systems and data
For cloud services, the data is stored off site and in the ‘cloud’. Check where the CSP’s data centre is located and specify any requirements you have (e.g. storage of customer data in Australian data centre facilities only). Many CSPs will offer improved protections even for public cloud services, at a consultancy rate.
CSP security policies are usually written without clear security outcome promises. You can seek to negotiate mitigations, and of course obligations to comply with mandatory laws and policies. You need to understand how the product is supported and managed and impose or implement the best possible protections for controlling access to systems and data. These may include limits on access to non-production environments, limits on personnel who can access (e.g. data processors in another jurisdiction), a prohibition on data mining, and obligations to implement available security features such as dual authentication and other access controls. Customers know less about the components of a cloud services solution than they do with on-premise solutions. CSPs cannot guarantee security, but they can implement strong security protection measures. We recommend that, in addition to focusing on security liability, you insist on promises about the strength of the security measures (including notification of cyber threats/events) to be put in place, and mitigations for the risk of any security event.
Remember the Digital Transformation Agency’s Cloud Marketplace not only covers all of these issues, but also offers customers a lot of flexibility in going to market with contract terms that suit their risk appetite and requirements.
Now that you are trying to procure solutions that offer multiple use options and flexibility for the future, how do you build these requirements into your contract?
Bridget Sullivan, Associate
Doesn’t it sound logical that if you are buying a solution configured for your specific agency business requirements, you would look to ensure you can use it for other purposes? How do you build in this sort of flexibility? The concept of ‘reuse’ is increasingly important in procurements of multi-component solutions. Here are some suggestions:
Think about the bigger picture
What do you want to use the solution for? When do you want to use it? Why do you want to use it? Who else do you want to permit to use it, and how can they do this? For example, do you want to be able to swap components in and out, do you want to allow use of your solution by individuals from other organisations, or do you want to be able to pick up your solution (or components of your solution) and share it with other organisations so that they can then configure it to meet their requirements (or both!).
Clearly describe what you are trying to achieve in procuring a solution that can be reused for other purposes or by other agencies or affiliates. This will help tenderers ensure they have appropriately reflected all risks in their proposal, and that there are no nasty surprises when you want to share your solution with other customers! Consider including evaluation criteria and functional/non-functional requirements which reflect your use requirements.
Be clear about the flexibility you want
Cover this in your description of required usage rights but also in your requirements for pricing. Look for pricing that gives you scalability and flexibility.
Look for limitations
Standard vendor terms almost always include limitations, such as limitations on use rights which may prohibit your reuse requirements. Make sure that the precedence mechanism in your contract addresses these risks.
Governance and collaboration
Consider how you want the vendor to engage more broadly with stakeholders.
Teamwork makes the dream work
Maintaining strong relationships with vendors is always important and goes a long way. But you should also think about how you want your vendors to work together and manage issues, and what visibility you require over these relationships.
Money, money, money
Your charging mechanism should be clear and distinguish between fixed and variable charges. It should also include a price basis for your use and other reuse requirements (e.g. metrics for scalability, a price basis for other entities to buy the same products or professional services).
Be open about what your procurement approvals cover. If some reuse rights depend on future approvals, make that clear.
Have you encountered reseller arrangements in ICT contracts more than ever before? What do you need to know about them?
Nick Topfer, Senior Associate
A reseller is an entity that sells a product or service it did not create. Resellers are often used by suppliers of software, hardware and cloud services to leverage third party distribution channels and access new markets or customers. Resellers are a prominent feature of ICT transactions, but ICT customers dealing with a reseller often have limited visibility of that reseller’s arrangements with the original supplier. There are multiple reseller models and each model can have different implications. Depending on the reseller’s arrangements with the original supplier, a customer could be required to contract with the reseller, the original supplier or both!
It is important for agencies or companies purchasing hardware, software or cloud services from a reseller to be aware of how resellers operate and to ensure contract documentation addresses additional risks arising from the reseller’s arrangements. Think about the following issues:
Original supplier’s terms
When purchasing software from a reseller, procurers will usually still be asked to sign or accept the original supplier’s terms and conditions. This might be done formally in an ordering document, or otherwise (e.g. customer personnel might be required to tick a box when using the software to accept the original supplier’s “end user licence agreement” or EULA). Some of these terms and conditions will be relevant to the technical specifications or operation of the software, e.g. they might set out what a user can and can’t do with the software or how it operates. However, as with all software, cloud and hardware arrangements, supplier terms (if they are enforceable) can create legal or commercial risks, so customers should make sure these are clearly specified and acceptable.
The original supplier will not necessarily be bound by the reseller’s statements and representations about the product or service. So, when contracting directly with the original supplier, businesses or government agencies should ensure that the contract for the product or service properly reflects all of the reseller’s representations.
Follow the money
Payment arrangements under reseller contracts can be complex. A buyer may be required to make payments to the reseller only, or to both the reseller and the original supplier. Make sure the contract or ordering document is clear about the total amounts payable, to whom and when. When making payments to the reseller only, make sure the contract or ordering document states those payments are in full satisfaction of obligations to the original supplier as well. When making payments to both the reseller and the original supplier, make sure you understand what products or services each payment relates to – to ensure you are not being double charged.
Are you looking for the best possible ICT managed services contract? What should you be thinking about?
Samantha Haddon, Associate
Managed services are still all the rage as an option for outsourcing some ICT business support. While internal ICT might look simpler with a transition to the cloud, that doesn’t mean you don’t need to focus on ensuring that your requirements are very clear. Here are some things that could go wrong:
- You define your requirements too broadly – (e.g. anything needed to support the business – and you end up with an argument about what tasks are expected to be performed).
- Service levels that don’t really measure what is important to the customer. Focus on using qualitative (but clear) and quantitative measures – don’t make them too complicated.
- Insufficient focus on strategic issues such as the benefits of new technology. Encourage innovation by building measures into your performance framework, and address failure to deal with interdependencies with other providers or stakeholders. We have advised on many outsourcing contracts where vendors have not appreciated the complexity of the customer’s infrastructure and business requirements.
As an in-house ICT lawyer, how can you achieve the best possible effective relationship with your external lawyers?
Angelina Yang, Associate
External lawyers love having internal lawyers involved when they provide legal support to companies and government agencies. This is because they know the internal lawyers will help project manage the legal services and will also offer the benefit of their deep understanding of the business or agency and how they operate. How can you get the best from this relationship? Here are some tips:
|Practical Tips||Examples to consider|
|Communication: establish protocols for communications at the outset and ensure all stakeholders understand them.|
|Role of internal and external lawyers: consider defining the role each group of lawyers will have during a project.|
Format and delivery: specify if there are preferences for the format of advice, or the way it is delivered.
|Feedback: if during the engagement, a client decides that it prefers legal support to be provided in a different way, we would love to hear from you!|
Want more information on ICT contracting?
Get in touch with us.
Before and after the proposed changes to the Franchising Code of Conduct
On 10 November 2020, the Commonwealth Government released for public comment, the draft regulations it proposes will...
ACCC’s 2021 enforcement priorities – what you need to know
ACCC’s enforcement priorities for 2021
2018 In Review: Australian Competition & Consumer Commission
By Shaun Temby
In Review take a look at the ACCC’s leading cases and activities in 2017
Commonwealth security snapshot – NSW Cyber Security Standards Harmonisation Taskforce recommendations report
Partner Gavan Mackenzie and senior associate Nick Topfer provide updates on issues related to Commonwealth procurement...