Cybersecurity Awareness III: Managing Supplier Risk

A strong enterprise-wide information security program includes managing third party risk. But assuring that you have diligently investigated your service and supply chain providers lends additional assurance that they will meet your security requirements.

Do their Security Policies comply with yours? Have they implemented them and performed the requisite employee training? Do they have tested incident response procedures? If so, Contract Protections and Ongoing Supplier Monitoring is the next step. Key contractual provisions include:

• Confidentiality: Ensuring suppliers understand what your confidential information is, that they are obligated to secure it and not disclose it without your consent.

• IP Ownership: If the supplier has access to data about your customers, your products, specifications, business needs and operations, not only should the confidentiality of this information be maintained but the contract should clearly provide that your company is the sole and exclusive owner. If the supplier is developing other materials or technology, the contract should default to company ownership. At the very least, the provision will elicit a discussion about ownership, the results of which should be memorialized in the agreement

• Service Levels: Suppliers should be obligated to meet your requisite level of service on a consistent basis with, perhaps, the right to terminate for chronic, inconsistent service.

• Require compliance with your policies and procedures.

• Ongoing Monitoring: Ensure you have the right to access the supplier’s facilities to inspect, audit, review ongoing risk assessments, perform penetration testing, if applicable, and monitor data access and use.

• Data Breach: In the event of a breach, you should control the investigation. You should determine if data breach notification is required. If you believe it is, you should then control whatever notification may be required - to states attorneys general, consumer reporting agencies, regulatory agencies as well as to the affected individuals and the media.

• Appropriate representations and warranties.

• Indemnification.

• Ensure liability limits and disclaimers are appropriate under the circumstance.

• Insurance should be required assuring that a pool of money is available to provide the requisite indemnification and defense if you are sued and to cover your damages.

• Termination: Ensure that your rights to terminate address your needs clearly. This applies not only to breach. You may need the ability to adjust the contract for business reasons. If your industry experiences a business downturn, the primary user is a business unit that is being sold or you are acquiring a company, the contract should be flexible enough to enable you to make the necessary adjustments.

• Ensure you have transition assistance if necessary.

• Be on guard if the supplier licensed software to provide your services. The contract terms should ensure you have the right to continue to license key software if desired.

A disclaimer: These are only a sample of some of the most significant terms; these and other provisions need to be addressed both in the master contract as well as any statements of work. The objective is to have as much clarity in writing as to each party’s obligations and be as prepared for any occurrence as possible.

SC
MR