For the third year running we have undertaken our Cloud Survey, in which we reach out to individuals within our firm clients and partner organisations in the cloud services space. We use the survey to uncover trends in this important marketplace, and to understand buyers’ and providers’ key objectives, hesitations and criteria for procurement and contracting.
While this year a greater majority (66%) of survey respondents were in a legal role, procurement, marketing, IT, InfoSec and C-level executives were also well represented. Consistent with past surveys, our respondents represented a broad geographic distribution with just under half operating globally.
Now that the survey is in its third year, we enjoy the additional benefit of tracking trends over a longer period, and gaining some insight into where they might be headed.
Security has been one of the most consistent themes across our three surveys. Interestingly this year, 80% of buyers and providers, up from just under 50% last year, indicated that their contract stipulated a specific security standard to be complied with, rather than a general obligation to keep data secure. The majority mandated an ISO 27000 series standard, though other standards referenced included HIPAA, NIST 800 series, ITIL, PCI-DSS, FedRAMP and COBIT.
Convergence, customisation and complexity are other consistent themes emerging from our survey. The longer offerings stay in the marketplace, the greater their convergence and standardisation. Solutions have become more customised which seems to have brought a corresponding reduction in contracting time. However, even though products converge, cloud deals remain complex. Respondents consistently cite this complexity as an impediment to negotiations and at times a source of disappointment.
As previously, this year’s survey found a majority of deals (60%) are done on provider paper, with 19% done using a mix of both buyer and supplier terms. Respondents indicated that these mixed terms were typically on the provider’s paper, but with buyer terms (like certain security requirements) pulled across over the course of the negotiation. On average 50% of terms were negotiable, up from 40% last year, with cost being most up for discussion, and solution architecture and security the least.
Another interesting negotiation trend to emerge was that buyers and providers are remarkably close together in what limitation of liability levels they consider acceptable. The majority of both groups responded that the liability cap in their contract was a multiple of fees, with a range of 1-5 times annual fees for buyers, and 1-3 times for providers. In a minority of cases (10% less than last year), parties had negotiated for, or accepted, uncapped liability for data security breaches. Providers indicated that caps for data security breaches were typically a multiple of fees rather than a dollar amount, while for buyers there was a nearly even split between those two options.
Looking to the future, around 60% of buyers indicated that their cloud offerings met their goals, down from 70% last year. Those who reported shortcomings in their service pointed particularly to privacy and compliance issues, complexity of implementation and quality of service. As in previous surveys, security, privacy and regulatory compliance are the primary concerns of respondents in relation to cloud deals, followed at a distance by maintaining qualified IT staff, system management and cost containment.
Thank you for your interest in our 2016 Cloud Survey, and its insights into the continued evolution of the legal and regulatory landscape in this space. Please do not hesitate to contact us for additional information.