The use of ‘cloud computing’ solutions by businesses is becoming ever more commonplace and, by some estimates, the market will be worth $411bn by 2020. Even the U.S. Department of Defence is now looking to store its military data on the cloud in a contract expected to be worth USD 10 billion. In the UK, the UK government’s Business Productivity Review recently urged small businesses to “get in the cloud” to plug the “output crisis” facing Britain’s SME economy.
Accountancy and other professional services firms are no exception. Market intelligence firm IDC predicted earlier this year that the professional services industry would be the second most likely industry to invest the most in the public cloud in 2018.
‘Cloud computing’ can mean different things to different people but, in short, it is the on-demand delivery by a service provider of computing resources to customers over a network, independent of device and location. So why go into the cloud? The most common reasons tend to include a) better availability and resilience, b) more advanced security, c) substituting opex for capex and d) gaining flexibility to meet future demand.
While a move to the cloud will be inevitable for many (if not most) accountancy firms over the next few years, there are some pitfalls. Here are ten things firms should be considering to avoid or mitigate against the potential risks:
1. Have a clear vision and get buy-in
Identify very clearly the challenges that you are seeking to address within your business by moving into the cloud. Then, consider if your organisation is ready to adapt. Use of cloud services requires “buy-in” from leaders of all affected business units (including support functions) and senior executives. This can be a major project which will involve cost, risk, time, planning, testing and pilot groups.
2. Vendor due-diligence
Is your organisation engaging a cloud provider that is “best-in-class”? What accreditation and certification standards (e.g. ISO 27001 and ISO 27018) does the cloud provider adhere to? Has the vendor suffered any high-profile security breaches recently? Can they meet your particular goals and will they stand behind those contractually? What sub-processors do they use and why? Is the data geo-located within the EEA? What will happen if Brexit occurs?
It is so important to do your background checks before you choose a cloud provider. Ask these essential questions and make an informed decision.
3. Migration and testing
A clear project plan will need to be in place to migrate data, and there needs to be a clear allocation of responsibilities between your firm and the vendor. Allow enough time for testing and ensure that you have an adequate period of time to undertake UAT. For various reasons, migration or testing can take longer than expected, so legacy services should be operated in parallel during UAT and you should (ideally) negotiate specific termination rights e.g. if, after repeated acceptance testing, the cloud service does not meet the stated contractual requirements.
4. Storage and retention of data
‘Pay as you go’ cloud solutions can help to reduce costs because you only pay for resources that are actually used. However, costs can escalate when storage limitations are exceeded. Can you control the amount of data used by your business (e.g. consider if you have in place an effective data retention policy to ensure data is kept for no longer than is necessary and whether it is enforced). Also check that you have enough data headroom under the vendor’s fair usage policy or within other data limits.
5. Charges and minimum commitments
A cloud solution can take costs off the balance sheet and help to reduce your one-off costs (e.g. licence fees and hardware spend), but cloud computing can often prove to be a more expensive solution overall (e.g. you are probably paying for enhanced service and better security). This can be especially true when compared to the cost of running legacy solutions that are overdue a refresh.
Take note of minimum term commitments and try to negotiate price protections both during the contract term and for any renewal.
Although pricing of set-up and configuration can be a “chicken and egg” scenario until scoping has been undertaken (often done post-contract signing), see if you can negotiate a ceiling on cost in this regard, especially if the solution is a relatively vanilla solution and has been sold by the vendor to other accountancy firms already.
6. Division of responsibilities
Ensure that your organisation and the cloud provider are aligned on approach and responsibilities, especially in respect of migration and set-up. Will your staff need training and support from the cloud provider? What ancillary services may be required, including exit migration services on termination, and will the cloud service need to be customised to meet particular needs of your organisation?
7. Protection of personal data!
The GDPR introduced the potential for higher fines (up to 4% of turnover or EUR 20 million) for personal data breaches and organisations are required to “use only processors providing sufficient guarantees to implement appropriate technical and organisational measures” so that the requirements of the GDPR are met and the rights of data subjects are protected.
You will therefore need to undertake due diligence (including physical diligence) to ensure that the provider is suitable in view of the nature of the personal data and the risk that processing it entails (e.g. is the personal data high risk in itself). You will need to have a “Data Processing Agreement” with the provider to ensure that the key obligations of the GDPR are met (which can be a schedule to your agreement).
Many data breach fines can relate to inadequate security. Security can rarely be guaranteed 100%, but do all that you can to ensure that the vendor can meet your own requirements (which you should draw up) and embed them into the contract (or check that the vendor’s promised levels of security are adequate). Identify who is undertaking penetration testing and make that clear in the contract.
9. Availability and service levels
Monthly (or shorter) availability requirements should be set out in an SLA, and the remedies carefully considered. Many vendors have a wide range of caveats relating to promised availability which can undermine the promise and often need to be “re-balanced”. An example of this might be planned maintenance windows where you are not given a say as to when they occur.
10. Service credits, termination rights and other remedies for non-performance
Last but not least, you should have the comfort of adequate remedies in case things don’t go to plan. Remedies for a failure by the cloud provider to provide the services in accordance with the SLAs need to be meaningful and workable. Service credits should provide a meaningful way of disincentivising poor performance – often they are stated to be an “exclusive remedy” and need to be claimed within a short window, which may not be appropriate. Typically, a vendor will pro rata any service credits to the server or virtual machine in question which means that your service credit may end up being pretty derisory; so think about whether you should seek to “weight” any service credits in favour of the more important servers/virtual machines.
You should check that the vendor’s potential exposure for any breach of contract (especially for breach of security/data protection obligations) is adequate (e.g. what is the monetary cap and are there adequate exclusions to the cap) and identify whether it’s fair that the vendor has excluded liability for loss of or damage to data!
It is also useful to negotiate a specific immediate termination right for any “persistent service failure” (rather than relying on a material breach clause, which can be uncertain or may not be triggered).
Your ability to negotiate some of the changes referred to in this article may depend on your bargaining power (which may be more limited when negotiating with some of the larger providers such as AWS, Microsoft Azure and Oracle), but even where changes cannot be agreed, consideration of these issues will help to ensure that your move into the cloud is made on a well-informed basis.
This guest post was written by Mark Hersey, Associate, Commercial and Technology at Lewis Silkin and James Gill, Partner and Joint Head of Commercial and Technology at Lewis Silkin.