Navigating the impact of the pandemic on technology contracting in preparation for a post-COVID-19 world.

By Brian Meenagh and Alexander Hendry*

A recent Latham.London blog post recommended five steps that customers should take when procuring technology and related services in light of COVID-19 and future pandemics. This blog post examines five additional considerations for customers based in the Middle East.

As a starting point, the recommendations in the Latham.London post still apply, and Middle East customers should:

  1. Have an open discussion with the vendor about the potential service impacts of COVID-19
  2. Structure the service in the most resilient way possible
  3. Consider whether internal (or other third-party) solutions can fill any gaps
  4. Make clear which party will bear any remaining risk of service disruption
  5. Ensure that the output of discussions about “risk” flows through to the fee arrangement

In addition, Middle East customers should consider the following.

1. Dealing with local resellers

Many of the world’s international technology vendors do not supply directly to customers in certain Middle East countries. Instead, they resell their technologies and services through local partners who may, in turn, add value to the arrangement by providing parts of the solution — most typically, implementation or maintenance services.

If a customer is purchasing technology or services from a local reseller, the customer should consider how such reseller might be affected by a pandemic, for example:

  • Which elements of the overall solution, if any, is the local reseller responsible for? Customers may wish to avoid local resellers that are overly reliant on personnel, and opt instead for solutions that use technologies that depend less on human intervention, and that do not require physical access to customer premises or other locations.
  • If personnel are involved, where are they located? Customers may wish to specify this in the contract, avoiding, when possible, having personnel based in a location or environment where they may be particularly vulnerable to the effects of a pandemic.
  • Does the local reseller have remote working arrangements in place? Customers may now consider this to be a key requirement that should be reflected in the contract.
  • How strong is the local reseller’s relationship with the international vendor? Customers will want to ensure, through a combination of due diligence and contractual mechanisms, that in the event of a pandemic, the international vendor provides the local reseller and the customer with sufficient support and attention.
  • How financially robust is the local reseller? This is always a key concern — and never more so in times of economic uncertainty.

International vendors may make changes to longstanding arrangements as a result of COVID-19. For example, international vendors may decide to build new on-the-ground capability in key Middle East markets, to reduce their reliance on local resellers. Customers should speak to local resellers and international vendors about their plans, and how future procurements might be affected and restructured as a result.

2. To what extent is a vendor dependent on international travel?

Throughout the Middle East, technology vendors are often dependent on international travel routes remaining open. This may be because a vendor:

  • Is based entirely or substantially elsewhere, and operates a “fly-in-fly-out” model for vendor personnel providing technology and related services in the region;
  • Has a hub in one country in the Middle East, from which it services the entire region; or
  • Relies on an international workforce who are not resident in the region.

The world has learned the fragility of free movement. The operating assumption is that borders will reopen, but when and to what extent remain unknown. Moreover, there are no guarantees that this will be the last global event that forces borders to close.

Middle East customers should scrutinise the extent to which international and domestic travel is a critical necessity for a technology vendor, and ask questions about possible alternative arrangements should travel become difficult or impossible.

Depending on the circumstances, and if remote working is not possible or inadequate, customers may wish to prioritise vendors with locally based personnel, or require that a vendor maintains a certain percentage or number of its personnel resident in the customer’s country or city. Customers should also consider this more broadly across their technology supply chains, to ensure that they are not overexposed to the vulnerabilities of any one particular travel route, country, or area.

Business continuity and disaster recovery (BCDR) schedules, a key feature of contracts pursuant to which services are provided on an ongoing basis, have traditionally focused on handling physical disruption to vendors’ delivery infrastructure. From now on, these schedules should also address how the vendor will continue to provide services in the event of a pandemic and any resulting restrictions on international travel.

3. Remote capability

The governments of a number Middle East countries took swift and decisive action in response to COVID-19, including, in some countries, the comprehensive closure of private sector workplaces except essential services. In many places, and even industries, this was the first time that, to carry on doing business, companies had to enable their personnel to work remotely — and many were simply not prepared.

Remote working likely will be more common post-COVID-19. Therefore, customers should consider:

  • What new technologies and services are required to remote-enable a workforce?
  • When evaluating any new solution, to what extent can it be implemented, used, and maintained remotely?
  • Can a solution operate “contact free” if necessary?

Customers will want to ensure that their businesses are equipped to handle any future scenarios in which remote working is desired or becomes a necessity.

4. BCDR vs. data localisation

COVID-19 has changed perceptions of what constitutes good BCDR planning. In recent history, catastrophic events — even wars and natural disasters — have typically been confined to a single country or region. Consequently, in many archetypal BCDR scenarios, having a backup data or service centre a few hundred miles away might be considered sufficient.

Pandemics are unique in the geographical scale and timing of their impact. They affect a large number of countries, and they can do so quickly and almost concurrently. In such circumstances, relying on a failover site in a neighboring city, or even country, may be unwise, and broader “geographical hedging” (i.e., having contingencies located farther apart, in different countries, regions, or continents) may be required.

This can be particularly challenging in the Middle East, where certain countries have data localisation requirements that oblige customers to store their data in the same country as the customer, and prohibit or restrict its export. Therefore, a vendor’s backup data centre cannot be outside the customer’s country.

Throughout the COVID-19 pandemic, data centres have proved to be fairly resilient, and their most vulnerable component may be their people. So how will a vendor ensure that any personnel who need access to a data centre can have it? And to what extent is remote access a viable alternative?

Customers should ask vendors how they intend to ensure that their contingency measures are sufficiently geographically diversified, whilst maintaining compliance with local laws. Customers should also investigate how a vendor’s BCDR planning dealt with the pandemic, and ensure that any failures or weaknesses have been addressed.

Also, localisation requirements may not always apply to all data. Customers should involve their information security teams to determine what data must be stored in-country and what data can be stored offshore.

5. Increasing regulation — who bears the cost?

In response to COVID-19, many governments, including several in the Middle East, have invested heavily in their respective private sectors to help mitigate the economic impacts of the pandemic. At the very least, such investments are likely to be accompanied by increased scrutiny of the benefitting industries and businesses. They may also be followed by increased regulation, requiring businesses to take certain precautions and implement preventive measures to give them the best chance of weathering the next pandemic or economic disaster, and to limit the need for state intervention in the future.

With that in mind, customers should keep scanning the horizon to ensure that they are not caught off-guard. Governments may take a risk-averse approach to some of the issues discussed in this post, and in some countries, new regulations may emerge, such as regulations that require businesses to invest in on-shore technology, or that make it more difficult for customers to receive services that are dependent on international travel.

Customers should also ensure that their technology contracts contain adequate “Change in Law” and “Change Control” provisions, to ensure that they fairly apportion any risks or costs that may arise as a result of new legislation, and any changes to the solution that are required as a result.

So what next?

The coming months, perhaps even years, will see considerable change that will have a material and lasting effect on technology contracting. For many customers, it may be difficult to know what their own business will look like post-COVID-19, let alone what their technology supply chains will look like. But the customers who learn from the impacts of COVID-19, and who adapt their approach to technology contracting accordingly, will be the ones best-placed to succeed in a post-COVID-19 world.

*Admitted to practice in Scotland only