security

Risk Mitigation via Software Code Due Diligence – Tech & Sourcing – Morgan Lewis


Morgan Lewis’s technology, outsourcing, and commercial transactions team often advises on transactions where there is some form of intellectual property being transferred from one party to another party. This may be due to a corporate transaction, a cooperation or joint venture arrangement, or some other form of commercial agreement.

Common Commitments

In technology transactions, it is often software that is the subject of such transfers, with such software being subject to various intellectual property rights, such as copyright or patents.

It is common practice for the transferring entity to provide warranties in respect of software to be transferred. Such warranties would typically include the following commitments:

  • The transferor has the right to transfer the software.
  • The software does not infringe the rights (including intellectual property rights) of any third party.
  • The software is free from encumbrances (e.g., security interests, charges)—in the United Kingdom, it is common to use the language “transfers with full title guarantee” to address the right to transfer and that the software will be free from encumbrances.
  • The software does not contain any open-source software on a copyleft/restrictive basis.
  • The software is free from material defects.

It is also common to see an associated indemnity to cover any losses suffered by the transferee from third-party claims arising out of or in connection with the software infringing third-party rights.

Due Diligence

On certain occasions, the transferor may be unwilling, or unable, to provide sufficient warranties and indemnities to provide the transferee with the protection it requires. This may be for a number of reasons, such as legacy issues, specific nuances of the deal, or the parties’ relative bargaining power.

Readers Also Like:  BigID Named Market Leader: Data Security Posture Management in ... - MarTech Series

In such circumstances, the transferee will need to consider other options to mitigate the risks of taking ownership of the software without such protections.

One way of mitigating the risks is to undertake due diligence on the software’s code. There are numerous providers of such services, which are becoming more popular as the number of software-related transactions increases.

Such reviews can check the code for agreed potential issues, such as

  • third-party components and associated dependencies;
  • ·open-source code used; and
  • assessing the quality of the code.

The aim of such checks is to identify potential issues that may otherwise have been covered by some of the warranties, so that the transferee can decide if there are material issues. If there are material issues, the transferee may want to consider pushing again for appropriate warranties and/or indemnities or trying to address the potential risks in another manner, such as changes to commercials.

There can also be other benefits to undertaking due diligence on the software’s code (depending on the kind of review undertaken), including

  • assessing any security concerns;
  • predict maintenance efforts; and
  • understand scalability of the software.

Of course, such code checks are not exclusive to situations where there are limited to no warranties from the transferor, and transferees may decide to undertake them in addition to contractual protections. This is a sensible decision, particularly for high value transactions and complicated software solutions.

Check But Be Careful

Software code checks can provide vital information to a transferee and mitigate some risks, but it is important to note that even the most thorough code checks cannot identify all potential issues and, in particular, it is difficult to identify infringement issues—for example, in relation to third-party confidential proprietary rights.

Readers Also Like:  A software update bricked Rivian infotainment systems - TechCrunch

As such, contractual protections should always be the preferred option and any code reviews should be considered in light of their limitations.



READ SOURCE

This website uses cookies. By continuing to use this site, you accept our use of cookies.