Magazine article Risk Management

Using Contracts to Curb Cyberrisks

Magazine article Risk Management

Using Contracts to Curb Cyberrisks

Article excerpt

Organizations frequently share information--some of it sensitive or confidential--with vendors in their supply chain. But many data breaches, such as Targets 2013 breach that exposed the financial data of 40 million customers, have resulted from poor cybersecurity on the part of a vendor. While no organization or vendor can ever be completely safe from cyberrisks, contracts are a natural place to address the topic of cybersecurity and establish requirements for vendors to follow to reduce the risk exposure.



Any contract with any vendor that involves handling of an organization's data should include a notice and cooperation clause. This clause should be structured so that, if a vendor suffers a cybersecurity incident, the vendor must notify the organization and cooperate in any forensic investigation necessary to determine the scope of the event.

The contract needs to define "cybersecurity event" or "breach of security" as broadly as possible and should also include definitions for "confidential information" that include personally identifiable information and protected health information of customers and employees, as well as any proprietary or non-public information that will be shared between the organization and the vendor.

Notice is important because some risks associated with a cybersecurity event can be mitigated if incident response plans are implemented in a timely manner. Organizations may also be required by regulatory bodies to give notice of the event. The notice clause should contain specific language including a time period for reporting and a description of to whom the notice should be directed, and be tied back to the defined term "cybersecurity event" or "breach of security." For example: "Notice is required within 48 hours to the chief information of ficer of the organization if the vendor has knowledge of or reasonably suspects that a cybersecurity event has occurred."

The cooperation clause needs to state that the vendor will cooperate with the organization during any investigation necessary after the discovery of a cybersecurity event. If the event involves customer information, it is likely the contracting organization may be ultimately responsible for notifying affected customers. Organizations may also be faced with public relations risks and potential regulatory investigations. The cooperation clause is an important tool to make sure the vendor will help facilitate such investigations.


When crafting vendor contracts, include provisions that require the vendor to agree to certain cybersecurity practices and that grant the organization audit privileges. Depending on the type of vendor, its access to an organization's systems, and the type of information shared, the specificity of the cybersecurity practices clause can vary. At a minimum, the vendor should represent and warrant that it will employ security measures for the organization's information that equal or exceed the security measures for the vendor's own information. Organizations may also consider asking for the vendor to represent and warrant that cybersecurity practices follow a risk-based compliance framework like the NIST Cybersecurity Framework, ISO's cybersecurity standards or CIS Critical Security Controls.

Vendors should provide documentation of their information security programs so companies can investigate their level of security and controls. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.