Data security
Social media & technology

Cyber contracting risks. Managing vendors effectively - Part 1

My first post covered some of the top questions customers need to ask their insurer when considering cyber insurance policies. 

Feedback on this post was positive but a number of readers commented that it would be really helpful to have some insight on what to actually cover in their technology vendor contracts around cyber risk.


In short, it is critical to build adequate protections into your commercial contracts with third party vendors that have direct access to your information systems and networks. This is particularly important where third party service providers have access to your data, client information, passwords or access via direct system integration.


In the case of the Target hack, the source of the cyber breach involving unauthorised access to customer payment cards was traced back to a malicious email attack on one of Target’s third party service providers who had access to the Target network. Bear in mind it was Target who got all the press following the breach - no one remembers who the vendor was at the time!


We generally approach technology contracts with vendors with a "wish list" of preferred customer rights and obligations - what follows is a short two part series covering each item on the wish list with some discussion on the “why” and the “how”.


We are assuming here that the customer has control of the drafting and is not being forced to use a standard off-the-shelf vendor contract. Even if that is the case, many of the rights and obligations below can be included in a negotiated draft and will hopefully assist you in reducing your exposure to contract cyber risks:


Technology Contracts Wish List - Cyber risk


  • Compliance with data security standards and policies

It seems a simple enough obligation but there are now a myriad number of standards available which vendors will point to or say they are compliant with.  Whilst it depends on the nature of the services themselves relevant standards relating to security include the following:


  • ISO/IEC 27001 Information technology—Security techniques—Information security management systems—Requirements; and
  • ISO/IEC 27002 Information technology—Security techniques—Code of practice for information security management.

You should also include compliance with your own policies and procedures, including how you expect your vendors to work within your technology environment. It is reasonable for you to provide details of such policies to your vendor at the commencement of an engagement. Be careful to ensure that you are able to properly pass on updated policies and procedures as and when they evolve.


  • Ensure you have adequate audit rights

Many customers include a standard audit right which focuses on audit of payment rights and obligations.  This is important but not the whole story. Given the importance technology plays in today's business, ensure you have a right to independently audit the services being performed by your vendor. This will allow you to verify that the services are in compliance with any agreed security standards or policies you have agreed with the vendor.  They will also uncover any "issues" that need to be addressed.

Be prepared for some push back - again you don't necessarily need to have access to the vendor's premises or data centre to conduct the audit.  It could be an independent or desktop audit conducted by an appropriate expert with a requirement that the vendor provide you with a compliance certificate following the review.


  • Step in rights

Step in rights which allow you to require the vendor to transfer back services to you or a third party nominated by you need to be exercised carefully. Step in rights are generally only ever called upon as a last resort where it is clear the vendor is unable to properly perform the services. Most vendors will expect a level of consultation before a customer exercises such a right.  They are particularly helpful in the case of a breach event where the disruption to the vendor is so severe it is unable to perform its obligations to you effectively.


Step in rights are a useful stick to wield but only in limited circumstances where the services being provided can be effectively taken back in-house or provided by another third party. For example, you are not going to get a vendor to allow you access to their data centre where it would compromise other customers also using the vendor services.


  • Rights to suspend

Another useful stick to have up your sleeve is a right to suspend the services.  This is a right you may exercise on a larger project where the project landscape evolves to the point where you need to scale back or substantially vary some of your original plans. It is also often used where services are not being performed adequately by the vendor.


From a cyber risk perspective it is a useful right to trigger in order to ring-fence a particular set of services or statement of work which is posing risk.  It can generally be invoked quite quickly and with no requirement to demonstrate a default by the vendor. If following the period of suspension the risk is managed effectively you can transition back into that piece of work.


Beware however the right is not without its costs and you will be expected to pay "unavoidable" or "stranded" costs to the vendor for exercising the right. These may be significant and can include the costs of dedicated resources, hardware or other capital purchases which cannot reasonably be re-distributed within the vendor's business.


  • Termination obligations

Having a broad set of termination rights in the event of a breach of obligation(s), including where a cyber breach has occurred, is an important right to have for customers. Termination rights are very much a legal remedy from a customer perspective, but you should ensure the focus of this clause is very much on reducing any impact to business continuity and getting the services back and working as quickly as possible.


We are seeing a reduction in the usual notice periods to remedy a breach involving a cyber breach event.  A cyber breach event can occur very quickly and as a customer you do not want to have to wait 7 or 14 days (or longer) to allow a vendor to try and remedy a breach of obligation.  You will want to move quickly and determine whether the breach can be remedied or a workaround arranged within a very short period of time.  In the event that steps are not immediately taken to remedy, termination may be an appropriate right to trigger.

We talk about specific termination obligations when responding to a breach and the need to work closely with and align to any transition out/disengagement obligations in Part 2 of this post.


  • Subcontracting - "one throat to choke"

Technology contracting is a complex business and often there will be a number of players involved in the provision of services to you. 

For example, you may have a primary vendor who licenses in technology from a third party software provider, subcontracts the hosting elements of the services to a third party hosting company, procures hardware or other capital requirements from an equipment manufacturer or sub-contracts a portion of the services to a specialised vendor who is better able to deliver that type of service.


With such a crowded contracting space the contracting risks increase dramatically.


The "one throat to choke" approach encourages you to appoint one contractor who can manage these separate relationships on your behalf but ultimately remains responsible for the overall provision of the services.  This reduces the risk of "finger pointing" in the event of a breach. 


You will also need to be careful the primary contractor does not seek to limit or reduce their liability/exposure as a result of the acts or omissions of their sub-contractors or other third parties indirectly. e.g. as an inclusion in the force majeure clause or as part of an exclusion of liability in the limitation of liability clause.


CONCLUSION

The standout obligations for me are ensuring vendors comply with applicable standards, give you a right to suspend quickly when things go wrong and provide a framework which allows you to hold  them accountable for the provision of the services.  


Vendors who are not prepared to warrant they are in compliance with relevant standards or who do not wish to comply with your internal policies (particularly around security) sound alarm bells. Make sure your vendors comply with appropriate industry standards.


Along with broad termination rights a right to suspend is a useful measure when you need to act quickly and cannot necessarily point to a specific default by the vendor.  Be prepared to pay for the convenience of having the right should you need to trigger it.


Finally, with multiple vendors often in play you have to be able to hold them accountable for the services. "Finger pointing" is a popular past time in technology projects and having a framework which will reduce the risk of this occurring is really important.


Stay tuned for Part 2 where we look at the remaining list items and make some final comments on current cyber contracting trends.

Articles you may also like