As IT vendors grapple with the impacts and risks of COVID-19, how can customers manage exposure when contracting for new services?

By Alain Traill, Christian F. McDermott, and Andrew C. Moyle

COVID-19 has — temporarily or otherwise — disrupted the status quo. For IT vendors the situation is no different, with many being forced to dust off their contracts and seek relief under force majeure provisions. So, where does this leave customers that are seeking to enter into new IT service arrangements, but find themselves faced with pushback from increasingly risk-averse vendors (not just in terms of COVID-19, but also future COVID-19-type scenarios)?

The question of where risk should lie is becoming a new battleground in negotiations. This post focuses on the customer’s perspective, setting out some key steps that customers can take to help achieve a balanced contract.

  1. Have an open discussion with the vendor about the potential service impacts of COVID-19.

While the situation is still evolving, COVID-19 is a reality and has been for some time. The strongest vendors are forming a clear picture of how COVID-19 is impacting, and likely will impact, their services. Customers should not be afraid to put vendors on the spot — holding an open discussion will enable both parties to explore how impacts can be managed (and ultimately, identify where any outstanding risk should lie).

  1. Structure the service in the most resilient way possible.

Many IT services are capable of being built, designed, or configured in a variety of ways. Depending on what is being procured and the cost, it may be possible to structure solutions so as to mitigate the impacts of COVID-19 (and similar situations in the future). For example:

  • Where services are provided on or from a vendor’s sites, it may be possible to spread risk across geographies by ensuring the vendor will switch-over to other locations in the event of disruption. This may work well for services such as remote IT support. Contractually, this can be borne out in the vendor’s business continuity/disaster recovery obligations.
  • Automated services will often be the most resilient to COVID-19-type impacts, given that they require less human input. However, even these require some intervention, and limiting the effects of COVID-19 in particular may be possible by, for example, deliberately selecting software that is unlikely to require a major upgrade in the near future.
  1. Consider whether internal (or other third-party) solutions can fill any gaps.

If a vendor cannot offer a practical solution for a particular impact, customers may be able to achieve a workaround internally. The contract can then be drafted to facilitate this. For example, if part of an automated solution becomes unavailable, it may be possible to replace this functionality with other software or with temporary manual workarounds. Contractually, customers should seek to avoid obligations to pay fees for the disrupted service in this situation (and, ideally, be able to recover resulting internal and third-party workaround costs).

  1. Make it clear which party will bear any remaining risk of service disruption.

Having identified the potential impacts and attempted to find practical solutions, customers should be in a strong position to negotiate the allocation of any outstanding risk. While the outcome may vary depending on the circumstances (e.g., the value of the service), the following are key points to consider:

  • COVID-19-type scenarios are no longer an “unknown” or “unforeseeable” risk. Many customers will simply take the view that the associated risk of service disruption should lie entirely with the vendor. Contractually, the main way of achieving this will be to carve such disruption out of force majeure (and other relief) provisions, either expressly or by ensuring that the relevant definitions are sufficiently narrow as to exclude COVID-19-type scenarios. If adopting the latter approach, care should be taken to ensure that relief is not inadvertently granted through reference to events such as “governmental action” (which could include lockdowns, for example).
  • Look beyond relief provisions and take into account other risk allocation mechanisms in the contract. For example, ensure that the liability provisions enable recovery of specific heads of loss that could be suffered in COVID-19-type scenarios (e.g., service downtime).
  • Insurance may be available to cover some of the potential service impacts, although, unless the vendor already has this insurance in place, there will likely be a discussion as to which party bears the cost. This will be an area to watch, as insurance policies evolve in response to the current situation.
  1. Ensure that the output of discussions about “risk” flows through to the fee arrangement.

While service impacts may be the immediate concern, customers should consider how any service disruption will impact on fees. For example, in the event that the service or a key component is “down”, should there be a corresponding suspension of fee payments or even a credit to the customer? Alternatively, can the fees be structured in a way that is naturally flexible, to account for any ramp-up or down in usage? As above, this may be particularly useful if a key workaround during any service disruption is to use an alternative solution or a manual workaround.

Key Takeaways

Pandemics – with their resulting impacts on IT services – are now a reality. If the question of how to address these impacts becomes a sticking point in negotiations, customers should not be afraid to engage in an open discussion with vendors about actual service impacts and potential practical solutions. This will place customers in a more informed (and therefore stronger) position when it comes to both negotiating whether or not any relief will ultimately be granted and agreeing a liability regime and fee structure that will protect commercial exposure as far as possible.