5 best practices for negotiating SaaS contracts for risk and security

Adoption of SaaS offerings accelerated this year because of the large-scale shift to remote work prompted by the COVID-19 pandemic. The trend has heightened enterprise exposure to cyber threats and brought into sharper focus the security and risk factors that organizations need to consider when negotiating software-as-a-service (SaaS) contracts.

Gartner expects the overall public cloud services market will grow 6.3% this year to $257.9 billion from $242.7 billion last year. The SaaS segment itself is expected to top $104.6 billion, up from around $102 billion last year at least partly because of increased need for new collaboration tools during the pandemic.

As adoption of SaaS services has increased, so have concerns over potential security issues. In a recent AppOmni survey of 200 IT professionals, 66% of respondents said they had less time to secure their SaaS applications post COVID-19 even though they believed their enterprise SaaS environment put them at greatest risk of business disruption.

“Most of the discussion when there is one from a security perspective is around data protection and what happens when an event occurs where either availability or data is compromised,” says Daniel Kennedy, an analyst with the 451 Group.

Here, according to Kennedy and others, are five key considerations to keep in mind when negotiating SaaS contracts to ensure risk and security factors are adequately addressed.

1. Create a master list of risks relevant to your organization

There is no one-size-fits-all approach to negotiating security clauses in SaaS agreements. A lot of what you need to (and can) do depends on context. The size of your organization, and that of the SaaS provider, is critical. Generally, the larger you are and the bigger your planned service procurement, the better your leverage.

Before negotiating with a SaaS vendor—or even during the RFP stage—consider the expected use of the system. For example, if you plan on using the SaaS system to manage your organization’s customer relationships, then you need to focus on how the SaaS vendor will protect the customer data and how they will ensure system stability and reliability, says Luke Ellery, senior research director at Gartner. On the other hand, if the SaaS system you plan on using is more internally focused, such as a learning management system, the data is less sensitive and the service is not likely business critical, he says.

“The best practice is to have a master list of risks such as security, privacy, geographic, regulatory, business continuity and disaster recovery,” Ellery says.  “Then take a triage approach to have the vendor address those risks that apply to their services.”

2. Communicate what’s non-negotiable to stakeholders

At many organizations, security groups are called in only at the end of the negotiation process when there’s little room, or time, to introduce substantial changes. So, it’s important to ensure the procurement team is aware of and covers at least the fundamental, non-negotiable security issues around data protection at the start of negotiations.

CISOs should collaborate with IT and business leaders to consider their organizations’ risk appetite. They also need to consider all regulatory and industry requirements when determining what is non-negotiable in their SaaS agreements, Ellery says. “These can be used as vendor pre-qualification criteria.”

For example, one good pre-qualification criterion could be the need for all data to be encrypted in transit and at rest or for all data to be stored within a specific country or geography. Including such criteria up front provides clarity to the vendor on your expectations, Ellery says.

Generally, anything to do with the availability, resiliency and confidentiality of your data should be non-negotiable, adds Vikram Kunchala, principal at Deloitte’s Cyber and Risk practice. Here again, a lot depends on what you plan on using the SaaS vendor for, he says. Your risk increases depending on the criticality of the data involved. So, the goal should be to ensure your vendor has adequate capabilities to protect your data.

Certifications like SOC 2 Type II, ISO 27001, ISO 22301 and CSA CCM are relatively reliable indicators of a SaaS vendor’s adherence to accepted security best practices. Verify your vendor is accredited to such standards when selecting one.

“SaaS is a pretty broad area. I can have SaaS for CRM, I can have SaaS for human capital kind of work or I can have SaaS for security,” Kunchala says. “If your vendor doesn’t have the right controls, your whole organization can get exposed”

3. Negotiate additional protections 

Negotiate what concessions you can by way of additional security protections. Keep in mind that some issues might not be easily negotiable or negotiable at all.

SaaS is a scale business, based on a standard product offering, Ellery says. So some changes, such as system availability or data storage location, might not be negotiable. “Every vendor is different and significant concessions will typically depend upon the SaaS vendor’s ability to make the concession, as well as your leverage — or if the concessions you want relates to a regulatory requirement,” he says. Liability clauses, involving breaches and data compromises, can often be the most difficult clauses to negotiate. So, consider other options such as the vendor’s cyber insurance provisions.

Make sure to include language that protects you in case your SaaS vendor is acquired, Kunchala advises. Address issues like what happens to your ongoing contract, or how you might renew it, if another SaaS vendor acquires your provider. Will the new vendor honor your existing pricing agreement or will they have completely different pricing?

You also want to look at what kind of issues the vendor might have listed as potentially unforeseeable circumstances that would prevent them from offering their product or service. Make sure the force majeure circumstances the vendor has listed are reasonable. If cybersecurity events are listed that you believe don’t belong, push back on those items, says Kennedy,

4. Insist on early breach notification

Regulations like the EU’s General Data Protection Regulation (GDPR) and Payment Card Industry (PCI) standards require organizations to contractually ensure that third parties have reasonable measures in place to protect sensitive data. The mandates have specific requirements and timelines for breach notification in the event of a security incident at the SaaS provider that impacts covered data.

When negotiating with a SaaS vendor make sure to include provisions for prompt breach notification, says 451 Group’s Kennedy. Such clauses can be contentious to negotiate because SaaS providers don’t want to be pinned down to a specific timeline. Often, their biggest objection has to do with the fact that there is no telling how quickly a breach might be initially discovered.

“Despite that, you must insist on immediate notification on any security data breach where your customers’ data is affected,” Kennedy says. “The SaaS provider can’t sit around deciding the best way to give you the information or work according to their own timeline in that scenario when they’re essentially your third-party supplier.”

5. Pay special attention to contract termination conditions

One of the most important things you need to consider when entering into a SaaS contract is spelling out exactly what happens at the end of it. While mature SaaS vendors will likely have a formal process for returning and deleting data, it’s important to come to an explicit agreement on what exactly that process entails.

The questions you need to consider include your organization’s ability to get its data back when the agreement ends and what the vendor’s processes are for deleting your data and ensuring no third party has access to it. “The first thing with SaaS agreements is to ensure you have a right to get your data back irrespective of termination,” Ellery says. Many CISOs regularly test data retrieval from their SaaS vendors or have a service to backup critical data to an on-premises or cloud storage service to ensure they have this capability, he says.

Consider signing up for transition assistance if your organization is using the SaaS service for critical operations. A transition assistance clause extends your agreement for a specific period after your contract has ended so you have time to transition to another provider in a secure manner, Ellery says. “Many financial services organizations seek a minimum 18 months of transition assistance for their critical systems,” he says. Termination and transition clauses are often negotiable as the vendor is still being paid for their services.

Deloitte’s Kunchala advises that organizations get some level of assurance from their vendor regarding claims about data deletion and data transfer. Multiple copies of your organization’s data, or bits and portions of it, might exist on a SaaS provider’s infrastructure and it is their responsibility to delete it, he says.

“They need to provide some level of assurance because then whatever liability clauses you might have will come into effect,” he says. At some point you have to take your vendor’s word for it and hope that your data doesn’t surface in some breach at a future date, he says.