Tech & Sourcing @ Morgan Lewis

TECHNOLOGY TRANSACTIONS, OUTSOURCING, AND COMMERCIAL CONTRACTS NEWS FOR LAWYERS AND SOURCING PROFESSIONALS
In many standard service agreements, providers will typically be required to deliver their services in accordance with generally accepted industry standards and practices and with professionalism and a level of skill appropriate to the agreement’s demands. While this standard often serves as a benchmark, it is rarely spelled out in detail. To reduce ambiguity, some agreements may go a step further, introducing a defined term to capture the expected service quality.
UK financial regulators recently published their supervisory expectations for critical third party service providers (CTPs) to the financial sector under the United Kingdom’s new regime extending regulatory oversight to CTPs. The final rules align with key themes of other regulatory regimes seeking to reinforce operational resilience (e.g., the EU Digital Operational Resilience Act (DORA)) around risk management, supply chain management, and incident management, among other areas.
Contract Corner
In the case of the ownership of intellectual property (IP) developed by a supplier as part of a service agreement with a customer, should the traditional position that the customer should own all developed IP always be the position agreed upon by the parties?
The UK Financial Conduct Authority (FCA) on October 31, 2024 published observations and key lessons from how firms responded to the CrowdStrike IT outage. The outage caused disruption across several industries globally, and the FCA highlights for UK financial services the importance of ensuring operational resilience in order to minimize the potential impact of future events on consumers and markets.
One of the commonly advertised features of AI is that it is beneficial for automation and increasing productivity. When a company considers improving its productivity and employing an AI tool, it will typically go through a contracting process with the service provider and assess the terms of use and associated risks for the business. But what happens if an employee presses on and starts using an AI tool that was not vetted by the company?
As we continue to see AI steadily and increasingly be incorporated into service offerings, businesses should pay special attention to previously “standard” provisions when contracting for the provision and use of services that incorporate AI. This is especially true considering there may be situations where service providers use AI at some point in the workstream without the recipient even realizing.
In our latest blog post on preparing for the EU’s Digital Operational Resilience Act (DORA), entering into force on January 17, 2025, we take a look at second-level requirements under DORA covering the classification and reporting of major information and communications technology (ICT) related incidents. These requirements will need to be addressed through operational risk management frameworks and contract remediation efforts with technology vendors.
Beginning January 17, 2025, financial entities based in the European Union must have in place processes and policies, and mandatory contract provisions with their third-party technology vendors, that comply with the EU Digital Operational Resilience Act (DORA).
Today, cutting-edge technology and how it is being used garners news coverage, but how companies build these products and get them to their customers is often overlooked. Companies negotiate and contract for the development and manufacture of the products as well as the sometimes complicated logistics necessary to deliver them to customers quickly in an increasingly demanding marketplace.