Tech & Sourcing @ Morgan Lewis

During the Biden administration, there was a push to prioritize and modernize cybersecurity responses, and the National Institute of Standards and Technology (NIST) agreed to work with the technology industry to develop a new cybersecurity framework. Now, those promises have come to fruition as NIST has provided updated industry-leading guidance in the cybersecurity field.

Logistics issues in all phases of the supply chain have their own set of challenges at an international level.

According to Forbes, “in 2025, the landscape of enterprise resource planning (ERP) is set for a thrilling transformation,” with a shift toward cloud-native ERP solutions at the top of the list.

Chicago recently experienced its first dust storm since 1934, resulting in low to zero visibility in some parts of the city.

Outsourcing and technology deals are increasingly done in “dust storm-like” conditions, with low to zero visibility into a wide range of issues, ranging from geopolitical to economic to regulatory and beyond. Navigating through these conditions requires clarity—including contractual clarity—on consistent core principles, creative thinking about resiliency, a flexible framework for decision-making, and an action plan you can implement in the worst-case scenario.    

Describing Core Principles

The core principles should be clear, concise, and deal-specific. Consider the following non-exhaustive factors when identifying the core principles for your outsourcing or technology contract:

• Identify What is Essential: Determine what is essential, taking into account the impact a technology/service disruption would have on the customer’s business
• Know Your North Star: Align on the objective or metric that will guide all decision-making, whether it be safety, integrity of the financial systems, legal compliance, parity with others in the same industry or market, or another relevant metric
• Allocate Scarce Resources: Set expectations with respect to prioritization relative to other users of technology or services, either based on the industry, degree of dependency, size of the account, or other relevant factors

The Rise of Resiliency

“Resilience is accepting your new reality, even if it's less good than the one you had before.” – US attorney and activist Elizabeth Edwards

Outsourcing and technology contracts often contain nuanced provisions addressing changes in law, force majeure events, cybersecurity incidents, and other eventualities, all designed to put in place appropriate plans and processes to manage foreseeable adverse scenarios and allocate related risk.

While “traditional” contractual mechanisms for dealing with adverse events remain important, resiliency as a whole is increasingly regulated, but on a targeted industry-by-industry, jurisdiction-by-jurisdiction basis (e.g., regulated of digital operational resilience of the financial sector in the European Union through the Digital Operational Resilience Act (DORA)).

Industries and jurisdictions that are not (or may not yet be) subject to resiliency-focused regulations should consider leveraging extensive work done in the regulated industries or jurisdictions in connection with these regulations for the benefit of the broader customer base. For example, a technology provider servicing the financial sector would have implemented changes to the supply chain necessary to achieve DORA compliance. The resiliency of this stronger supply chain may, in turn, increase the resilience of an automotive manufacturer using that same technology. 

Developing A Generally Applicable Framework For Decision-Making

“Plans are nothing; planning is everything.” – US President Dwight D. Eisenhower

Consider supplementing existing contractual and regulatory mechanisms that address likely adverse developments and resilience topics with a decision-making framework based on the core principles described above. In other words, if there is no relevant plan or procedure and limited time to make a new plan or procedure, what is the “right” process for making decisions? Consider the non-exhaustive factors below.

Allocate Responsibilities for Monitoring, Testing, and Decision-Making

Determine the minimum acceptable level of control each party would have in a “dust storm.” Under what circumstances would unilateral action by a party be acceptable, at least on a temporary basis? For example, does the customer have the right to determine that the “dust storm” is sufficiently imminent to warrant implementation of contingency plans?

While the process for declaring an emergency or disaster is well-established in business continuity and disaster recovery principles, one of the newer trends is long-term uncertainty and volatility in highly disruptive events—whether with respect to the impact of tariffs, executive orders, the COVID-19 pandemic, and other factors where industries and organizations may make reasonable but different judgment calls.

A critical precursor to decision-making is ongoing monitoring and reporting of the relevant conditions. While macro-conditions that are not specific to the deal may be monitored by both parties, likely for different reasons, consider a flexible structure for information gathering and information sharing consistent with the core deal principles.

Set Up Lines of Communication

Determine the “always on” level of communication that can be reasonably available for nearly any situation. For example, an outage that is expected to rise to the executive level may warrant an active executive-level channel of communication if needed. Yes, this would not be a reasonable avenue for hundreds of vendor contracts that may need to be dealt with under adverse circumstances.

Identify Relevant Decision-Makers

Determine the core group of individuals who can make decisions when ordinary course processes are not available for any reasons.

Design Clear Contractual Backstops

Contractual backstops, such as termination rights and step-in rights, are increasingly viewed as key deal points, similar to pricing on the commercial side and data protection on the legal side.

In the next installment of this two-part article, we will explore current trends in these contractual backstops in the face of uncertainty.

In an earlier two-part series (Part 1 and Part 2), we explored key factors for companies and influencers to consider when drafting and negotiating influencer agreements to advertise and market products and services on social media.

In our March 2024 blog post Study Finds Average Cost of Data Breaches Continued to Rise in 2023, we highlighted the key findings of the Ponemon Institute’s Cost of a Data Breach Report 2023. Each year, the report sets forth a vast dataset analyzing data breaches at hundreds of organizations to spot trends and developments in security risks and best practices. The Ponemon Institute recently published its Cost of a Data Breach Report 2024, showing an increase in data breach costs in many areas of business.

Global Capability Centers (GCCs) enable global enterprises to provide information technology and business process services from a central delivery location.

Sports sponsorship contracts traditionally focus on category exclusivity and entitlements while overlooking data sharing language. However, with the rapid evolution of data usage in the industry, incorporating data sharing rights and obligations in sponsorship contracts is essential to maximize benefits for sponsors and sports entities.

As the summer 2025 concert season continues to ramp up, we want to take the opportunity to explain why your favorite band or artist might only be performing once in your region this summer: a radius clause.

We are excited to welcome Mathilde Carle as a partner in Morgan Lewis’s Paris office and as a guest contributor to our Tech & Sourcing Spotlight series to discuss intellectual property (IP) protection and other related issues in agreements to design, build, license, host, and support digital solutions, including automation, AI, and software as a service (SaaS) products.