Negotiation Time

Anthony Skipper, VP of Security and Technology for ServiceMesh, and Charles Babcock, editor-at-large at InformationWeek, have both recently suggested that when entering into a cloud arrangement, the project plan should take into account a reasonable time to get the lawyers involved and the negotiations finalized.  In some cases, "reasonable time" might mean six months or longer.

In my experience, cloud providers generally prefer to start with short contracts.  When they hand a customer their standard contract for the cloud service, the customer is often surprised by the brevity and simplicity of the document, and their first reaction is often "look at how short this is -- we can close this deal in a couple of days."  The problem is that brief and simple documents rarely address the detailed and complicated issues that might arise in a cloud deal.  This might be fine if the cloud service is an expendable, "nice-to-have" service that has no access to the customer's systems or confidential information, does not impact day-to-day operations, doesn't raise a possibility of patent or copyright infringement, and won't be noticed or missed if it incurs substantial downtime.  For important or mission-critical services, however, agreements tend to be longer because they are more detailed.  For instance, while a short service level agreement (SLA) describing service uptime might be appropriate for non-critical services, for critical services a customer should expect detailed SLAs with error severity definitions, minimum response time guarantees, and escalation procedures for multiple service level categories.  Even with efficient drafting, the level of detail for a critical-services SLA involves more words, resulting in more pages.

A longer, more detailed contract takes more drafting and negotiating, more internal calls to discuss issues, and more levels of escalation for difficult or contentious items.  All of this means that it takes more time before a final agreement can be signed.  Cloud blogger Andrew Chapman, citing Anthony Skipper, said:

Negotiating contracts with cloud providers should not be underestimated as a task, especially for a large scale contract. This can take 6+ months just to negotiate the deal and this has been known to actually stop a project.

I have personally seen some cloud deals negotiated and finalized in as little as a week and others take more than a year.  During those negotiations I've gleaned some insights into what factors tend to make negotiations go more smoothly.  A few of the basic factors include the following:

  • Determine the scope.  A smaller project will typically take less time to negotiate than a large project.  If you need a deal done quickly, divide the project into phases and focus on the phase that must be done first.  By working in phases, it gives the customer an opportunity to assess how the project is going, and to pull the plug or go in a different direction if things are not progressing as planned.  
  • Start with a term sheet.  The negotiation process will go more smoothly if the parties clearly define the deal's business points in a term sheet prior to drafting the contract.  The term sheet can cover items such as what each party will do in the relationship, pricing and payment structure, contract term and renewal, whether the relationship is an exclusive or non-exclusive arrangement, and other business terms.  Even though a term sheet is not typically binding on the parties (and I counsel clients to avoid binding term sheets), it helps to define the scope and set the parties' expectations, gives the lawyers a roadmap for drafting the initial documents, and helps the business teams identify the contentious issues early in the process, giving the parties more time to resolve those issues.   
  • Start with a reasonable agreement.  If the intent of both parties is to get a deal done quickly, the first contract draft should be reasonable.  This isn't to say that every agreement must be completely fair and balanced.  But if the initial draft of the contract is materially one-sided in favor of either party, the negotiations will be longer as the non-favored party tries (perhaps unsuccessfully) to get a better deal.  If a party offers a one-sided contract, it's wise to either ask for a more balanced agreement or extend the project timeline to allow for longer negotiations.
  • Understand your deal leverage.  If one party perceives that it has more leverage than it actually does, the negotiations will take longer.  Get the best deal you can, but understand that if there is a single provider for a particular service and you are making up less than .05% of their annual business, you might not be able to get all the provisions you're asking for.  On the other hand, if a customer will make up 30% of a cloud provider's annual business and the cloud provider has several competitors, it's probably unreasonable for a cloud provider to refuse to negotiate the contract.  Sometimes companies intend to negotiate hard even though they don't have much leverage; if this is the case, be sure the timeline reflects a longer negotiation process. 
  • Bring the decision makers to the table.  Everyone understands that executives are busy and don't need to spend time in the weeds negotiating small details.  However, if it's an important contract and there are critical areas of disagreement, the process will speed up considerably if decision makers and stakeholders take part in at least some of the negotiation sessions, especially the sessions where contentious issues are discussed.  If decision makers are not part of the process, timelines will be extended as issues are discussed by the negotiation teams, escalated to the decision makers, discussed by the decision makers, and then the information and decisions are subsequently relayed back to the negotiating teams.  This escalation process repeats each time either party proposes a new resolution or concept.  Depending on vacation or travel schedules of the decision makers, I have seen this escalation process add many weeks to the negotiation timeline.
  • Understand the impact of deadlines. Deadlines are good to the extent they keep negotiations moving forward at a healthy pace.  But they should be realistic and reasonable.  Although many lawyers do a fine job negotiating with tight deadlines, most of them will tell you that whichever party has the most flexibility on timing will generally get the better deal.  For example, if a customer must have the agreement signed by the end of the week because it is fundamental to three of the customer's projects, the vendor will have an immense amount of leverage because each time the customer requests a change to the contract, the cloud provider can say "we'll need to escalate that issue, and we probably won't have an answer by Friday."  The customer can rant, reason, swear and protest all it wants, but if a vendor is not motivated to change a provision, then it likely will not be changed.  On the other hand, if a cloud provider is motivated to close a large deal at the end of the month in order to meet its quarterly revenue target, the customer will likely have more success in the negotiations when it says "we must have this provision added to the contract or we can't sign the deal."  Although the longer a negotiation goes the more likely it is that the deal will lose momentum, priorities will change, stakeholders will change, and the deal might fall apart, it's generally the rule that whomever can last the longest in the fight wins the battle.
  • Clearly identify action items and deadlines.  If action items and deadlines are not clearly identified during the negotiations (usually at the end of the meeting), then timing of the deal can be impacted.  The business teams should understand who is responsible for gathering information, getting sign-off on issues, and escalating open items.  Lawyers should understand which party is drafting changes to the documents, what information they will receive and when, and when the parties reasonably expect to receive revised documents.  Delays on the part of anyone in the chain can impact the overall negotiation timeline.

No one likes explaining to management why a deal that was unrealistically projected to get done in three weeks has taken six months to complete.  Addressing these factors early in the deal process will assist the stakeholders in setting realistic deadlines and help streamline the negotiations.  So even if the deal really does take six months to negotiate, at least it won't be unexpected.    

The Expanding Role of the IT Security Team

Ask any customers considering cloud computing services to identify their primary concern, odds are that security will be somewhere near the top of the list.  That concern is leading some in the industry to contemplate an expanding role of the IT security professional from developing and implementing corporate security policies to becoming more heavily involved in cloud computing contract negotiations and service level enforcement.   In my experience, however, that is only part of the expanding role of IT security professionals. 

Indeed, before even getting to the negotiating table, the IT security team needs to be actively involved with due diligence on potential cloud providers.  Under a non-cloud model, the IT security team typically has one set of security standards and policies for the company, and all of the applications and infrastructure being installed in the company's environment are subject to those standards and policies.  In a cloud model, however, where the cloud providers host the infrastructure and/or applications, the IT security team needs to review the security protocols for all of its cloud providers to determine whether those protocols meet the company's security standards and policies, and how those protocols will integrate with the company's infrastructure and other cloud providers.  

Accordingly, as part of the cloud provider selection process, and well before getting to the negotiating table, the IT security team should be involved reviewing each cloud provider's track record, security architecture,  ISO certifications, SAS 70 Type II / SSAE audit results, encryption standards, redundancy and back-up standards, disaster recovery capabilities, delivery footprint, and penetration testing results.  Given the ever-increasing number of cloud providers, this is no small task.  Although a customer might not be able to dictate its requirements regarding some of these areas, an early review of this type of information during due diligence can weed out some cloud providers and make the contract negotiation process much smoother with the remaining providers. 

This expanding role no doubt will put additional strain on the IT security team -- although there is something to be said about job security.