If your business relies on third-party IT vendors, economic uncertainty could put your operations at risk. Significant rises in fuel and other production costs spurred on from the wars in the Middle East and Ukraine are adding pressure on businesses. Given this environment, insolvencies are more likely" in the short to medium term.
The insolvency of a vendor that runs or manages a business’ key IT system can have severe and dramatic effects. It may result in the business being unable to access and use key IT systems. Depending on the system in question, this can have knock-on effects to other systems in the business’ environment and disruption to operations. A vendor’s insolvency may also result in loss of access to key business data being hosted by that vendor.
This article highlights some mechanisms that can be adopted to mitigate the risks to your business from IT vendor insolvency under Australian law.
What to do if your IT vendor fails
The steps you take immediately and in the days after learning that an IT vendor has entered administration or liquidation are critical. The following steps should be taken:
- Identify and notify relevant internal stakeholders, including legal, IT, procurement and, depending on materiality, the executive team. Ensure clear responsibility for each aspect of the response.
- Secure your data. If business data is stored on the vendor’s platforms, try to obtain a copy in a usable format promptly.
- Review the contract to understand your rights regarding your data, goods and other materials (such as software) developed or procured by the vendor on your behalf, termination, step in rights, assignment/novation consent rights and any escrow arrangements.
- Engage with the appointed administrator or liquidator to understand the likely trajectory and whether services will continue.
- Assess your financial exposure, including amounts owed for completed or partially completed work, recovery rights for any prepaid fees and any other claims you may have against the vendor.
- Assess your ability to continue to run your operations. Is there an alternative vendor you can turn to quickly – even to deliver part of what the vendor provides? Are there key subcontracts or personnel that the vendor relies on to deliver the services that you should take over or employ?
Speed is important. Once an administrator or liquidator is appointed, your data, materials and other goods procured on your behalf and IT systems on which you rely, may be treated as part of the vendor’s assets, making them difficult or impossible to access.
How to protect yourself
There are steps you can take upfront to better protect yourself from vendor insolvency risk. The best time to do this is when you contract with your IT provider, although you can raise this mid-engagement (but your leverage may be lower). Some regulators, such as APRA, recognise the importance of addressing this risk upfront, with standards such as CPS 230 (Operational Risk Management) requiring entities to take steps during the procurement and contract negotiation phase to manage these risks.
If your vendor is offshore, many of the principles will remain relevant, although different jurisdictions will have different insolvency rules and procedures.
Contractual methods
The following contractual measures should be considered:
- Ensure you are notified
Your IT contract should require the vendor to notify you promptly if it suffers an insolvency event. Ideally, the concept of “insolvency event” should be broadly drafted and cover pre-insolvency warning signs, such as if the directors enter into the safe harbour regime or the company receives a statutory demand. The IT contract should also include information rights so that if you suspect the vendor may be experiencing financial distress, you can request information (such as financial information) to diligence and monitor the position.
- Control your data
Where possible, you should assess whether hosting the data within your own systems or on other third-party infrastructure is commercially and operationally preferable. From an insolvency-risk standpoint, this reduces vendor dependency and avoids the risk that your data will become inaccessible or treated as an asset of the insolvent estate (noting that the credit-worthiness and insolvency risk of any third-party infrastructure provider should also be separately diligenced and monitored).
- Establish an escrow arrangement
Where hosting data separately is impractical or not preferred, escrow arrangements can offer a fallback and are, in some cases, exempt from the ipso facto stay requirements referred to in the next section.
Traditional software escrow involves the vendor depositing source code and other materials at agreed intervals with an independent escrow agent. The agent releases materials to the customer if certain pre-agreed triggers occur, which ordinarily include insolvency events. The typical intent is that the customer can then ensure business continuity while it transitions to a longer term alternative solution. SaaS escrow options exist but can be more costly. For example, if they involve a mirror environment operating independently from the main environment. It is important that no action is required of the vendor for the release of materials by the agent to you in the event of a vendor insolvency as the external administrator of the vendor will not be bound to perform the vendor’s obligations under the escrow agreement which is the release should occur automatically on you delivering a notification of an insolvency event having occurred with the vendor.
Escrow arrangements are not failsafe, however. Their utility depends on a number of factors, including the quality of deposited materials, third-party dependencies, the independent escrow agent maintaining solvency and your capability to recreate and support the solution independently.
- Adopt wide termination rights
Australian IT contracts routinely included clauses allowing termination if the vendor suffers an insolvency event, like entering administration or liquidation. But the introduction of the ipso facto regime in the Corporations Act 2001 (Cth) impacted the enforceability of these and some other provisions/contractual rights that are triggered by certain insolvency events in contracts entered into on or after 1 July 2018 and pre-1 July 2018 contracts that are novated or varied after 1 July 2023.
The effect is that a customer may be prevented from terminating simply because its vendor has suffered certain insolvency events, like entering administration or restructuring, even if the contract expressly permits this. However, other termination for cause rights remain unaffected and exemptions apply for certain contracts. Termination at common law may also be available. Certain categories of contracts are also excluded from the regime and the court has discretionary powers to declare that the stay does not apply.
What this means is, where possible, IT contracts should be drafted with a broad range of rights (including termination rights) and regular performance obligations on the part of the vendor (which, if breached, will allow the customer to terminate or exercise other rights) that could operate independently of an ipso facto stay and incorporate rights that are exempt from the stay, such as step in rights and assignment rights.
- Require immediate data and IP return
Your IT contract should ideally provide clear rights to obtain your data and other property promptly and at any time during the contract, allowing defensive steps to be taken before or during a vendor’s administration or liquidation (in the case of an administration/liquidation, the external administrator will not be bound to comply with the vendor’s contractual obligations and the rights should therefore, to the extent possible, be exercisable without the need for any action by the vendor). At a minimum, the contract should allow for return of materials on insolvency, termination or expiration, within an agreed period and in a usable format. But given the risks that arise if an external administrator is appointed, you should also consider whether you are able to self-execute the return of your data (or your critical data) as part of the functionality of the IT solution (such as by downloading a copy, if possible).
- Require immediate data and IP return
Your IT contract should ideally provide clear rights to obtain your data and other property promptly and at any time during the contract, allowing defensive steps to be taken before or during a vendor’s administration or liquidation (in the case of an administration/liquidation, the external administrator will not be bound to comply with the vendor’s contractual obligations and the rights should therefore, to the extent possible, be exercisable without the need for any action by the vendor). At a minimum, the contract should allow for return of materials on insolvency, termination or expiration, within an agreed period and in a usable format. But given the risks that arise if an external administrator is appointed, you should also consider whether you are able to self-execute the return of your data (or your critical data) as part of the functionality of the IT solution (such as by downloading a copy, if possible).
It is also worthwhile including restrictions on the assignment/novation of the contract or a change of control transaction without your consent. To the extent that the contract remains on foot during the external administration and a buyer is found for the vendor/vendor’s business who wishes to keep the contract, the restriction may give you some negotiating leverage to impose conditions for your consent.
Other methods
Aside from contractual measures, vendor insolvency risk should be considered more generally over the lifecycle of the procurement – in procurement due diligence and as part of your ongoing business continuity planning, particularly for material IT vendors. Key questions to ask include: What assurances exist that the vendor can continue as a going concern? How quickly could you transition to another vendor? Are there alternatives at all? Are there alternatives that can supply part of what the vendor provides? Can you implement the transition or alternative without the vendor’s involvement? Is it possible to take security from the vendor to protect your position? Are your processes documented for responding to vendor insolvency?
Looking ahead
Vendor insolvency risk is always a possibility, although the likelihood that it will occur will vary materially between vendors. For businesses that rely on third-party IT providers, taking steps to minimise vendor insolvency risk throughout the procurement lifecycle is the best way to reduce the impact of any insolvency that arises. Even if you have not done this, defensive options may exist, but you should act promptly.