Is Your IT Master Services Agreement Built For Today's Modern World?

The Information Technology ("IT") services landscape has shifted dramatically in the past few years at incredible speed. Artificial Intelligence ("AI"), heightened cybersecurity threats, geopolitical trade tensions and evolving data protection regimes have fundamentally reshaped the risks that underpin modern IT engagements. Yet many organisations continue to rely on Master Services Agreements ("MSA") that were drafted for a different era.

If an MSA has not recently been refreshed or updated, it is very likely that it contains gaps and provisions that no longer reflect how technology services are not only delivered but also consumed. As such, a legacy MSA may no longer protect organisations in the ways that matter most in today's modern world. Below our team highlights the key areas where legacy MSAs often fall short.

• Artificial Intelligence: Vendors are increasingly using AI tools in delivering their services, from code-generation assistants to large language models. Without express contractual controls, you may have no visibility as to whether AI is being used, how it is deployed and who owns the outputs. An MSA should, among other things, contain provisions that address whether the use of AI tools is permitted as well as ownership and rights of AI-generated outputs.

• Customer data: Many legacy agreements treat data protection as a subset of confidentiality or address it only by referencing privacy legislation. A dedicated customer data clause in an MSA should address obligations around encryption, access controls and data classification, and also address data commercialisation. In an era where data is a strategic asset, this protection cannot be left to implication.
• Open-Source software: Open-source code or software is embedded in a number of modern technology stacks. It becomes a problem when copyleft-licensed components are incorporated into bespoke deliverables which a customer intends to own, including the intellectual property ("IP") in such deliverables. Copyleft obligations generally include source code disclosure, restrictions on commercial exploitation, etc. which effectively "infect" proprietary IP. Legacy MSAs are often silent on open source therefore creating a significant gap.
• Export controls and Geopolitical risk: Export control regimes can restrict the use, integration or deployment of certain technologies. For organisations operating across multiple jurisdictions or contracting with multi-national or foreign vendors, an MSA that is silent on export restrictions may leave you exposed to service disruption with no contractual remedy.
• Limitation of liability: Many older MSAs contain symmetrical liability caps that apply equally to both parties. In an IT services context, this is difficult to justify when a vendor holds a customer's data, performs the services and introduces risk into the customer's environment. Organisation should review carve-outs to ensure sufficient risk allocation.
• Technology refresh and innovation: A services engagement that begins with current technology can become outdated within a few years if the agreement imposes no obligation to keep pace. A good MSA should require the vendor to ensure all equipment and software remains manufacturer-supported and aligned with prevailing industry standards.

The Bottom line

An MSA that was considered robust a few years ago may now contain material gaps in areas that have become central to technology risk management. The clauses discussed above are not exhaustive, but they represent the areas where we most frequently see organisations exposed.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.