5 Key Provisions to Look for in Critical Vendor Contracts

With the rise in data breaches and other business-disrupting incidents, organizations can’t afford to neglect their critical vendor contracts. A well-written critical vendor contract helps protect your organization from hidden risks and optimizes your third-party relationship. Whether reviewing a new critical third-party contract or negotiating new terms and conditions of an existing contract, there are many elements you need to consider and thoroughly review with your legal team.

Pricing and discounts are often a big factor; however, you should also be looking for specific provisions to ensure compliance with industry regulations and standards. Let's go through the five key provisions to look for in your critical vendor contracts.

The 5 Key Provisions to Review in Critical Vendor Contracts

1. Your third-party vendor contract should contain adequate and measurable service level agreements (SLAs).
   
   Your critical vendor contract should include minimum service level requirements along with any remedies if the vendor fails to meet such standards. A well-defined SLA should clearly identify expectations and obligations between the parties and should target measuring performance against those objectives.

   Seven things to look for in your critical vendor's SLAs are:
   
   

   • Standards by which the service(s) will be measured

   • Functionality and availability the vendor is committed to providing

   • Acceptable volume of work to be delivered by the vendor

   • Criteria for responsiveness

   • Reporting methods

   • Frequency of reports

   • Rights and remedies in the event of failure to meet the standards (this should allow for termination of the contract should the vendor fail to meet the standards over a specific period of time)

2. Your third-party vendor contract should have sufficient cybersecurity and privacy provisions that cover nonpublic personal information (NPI) and personally identifiable information (PII), as well as proprietary information. 
   
   The contract should clearly identify the critical vendor’s responsibility to maintain policy and procedures to meet the data security objectives of applicable regulations. Depending on your industry and location, this might include regulations such as the Gramm-Leach-Bliley Act (GLBA), various state privacy laws, or the General Data Protection Regulation (GDPR).
   
   A well-written critical vendor contract will address safeguards that are designed to do the following five things:
   
   
   • Ensure security of NPI and PII
   • Protect against anticipated threats
   • Protect against unauthorized access and have mitigation plans in the event of a security breach
   • Properly dispose of confidential information and data
   • Maintain confidentiality of proprietary information

   Note: Breach notification requirements are also essential to ensure that your critical vendor notifies you quickly after a security incident. The details of the breach notification will generally include a timeline and instructions on how the vendor will handle the compromised information.

3. Your contract should identify any fourth parties, or subcontractors,  and ensure that these relationships are in accordance with industry guidance.
   
   If any fourth parties are identified, it is important to include the following six provisions within your critical vendor contract:
   
   
   • Identify any primary subcontractors and affirm the vendor’s responsibility for all contractual obligations.
   • Require the third-party vendor to get signed approval before using a subcontractor to support your organization’s products or services.
   • State the vendor’s obligation for monitoring and performing oversight of its subcontractors’ operations in accordance with industry guidance and contractual obligations. This may include reporting on a subcontractor’s conformance, such as performance measures and compliance.
   • Document that subcontractors will be held to standards no less than those established between you and your vendor.
   • Your vendor should specify recovery objectives and testing requirements for any subcontractors. They should also provide disclosure of any such testing results and audits performed.
   • Prohibit subcontractors from using or disclosing proprietary information, NPI, or PII without permission.
4. Your vendor should provide appropriate due diligence documents on a yearly basis.
   
   Contracts should require that vendors provide, at a minimum, the following seven types of due diligence documents annually:
   
   
   • SOC reports
   • PCI compliance certificates
   • Certificate of insurance
   • Financial reports
   • Network penetration and/or vulnerability assessment
   • Intrusion detection and incident response plans
   • Business continuity (BC) and disaster recovery (DR) procedures
   Note: Also make sure to include a right to audit clause, which obligates your critical vendor to provide documentation upon request.
5. As a best practice, critical vendor contracts should include a business continuity and disaster recovery plan. This is also recommended for contracts by top regulators, as in the Interagency Guidance on Third-Party Relationships.
   
   Contracts should include provisions that cover the following areas:
   
   
   • Accessibility to your vendor’s BC planning policies and procedures
   • Independent testing requirements that demonstrate the ability to meet sufficient recovery objectives
   • Frequency and availability of such test results
   • Business resumption and incident response requirements, including customer disclosure responsibilities
   • Established recovery times for the return of critical business functions
   • Back up responsibilities, including the protection of programs, data, and equipment
   • Cyber resilience
   • Management of third party/outsourced business continuity
   • The ability to transfer accounts or activities to another third-party vendor without penalty, in the event of the vendor’s bankruptcy, business failure, or business interruption

But Wait! There Is More.

While the above are just a few of the major elements to review within your critical third-party vendor contracts, they are by no means the only important provisions. However, these contract elements are more likely to be flagged by regulators and auditors if they are not properly addressed, so it is important to pay extra attention to them. Critical vendor contracts should also include other elements such as dispute resolution, default and termination, indemnification, and ownership and license. While this is a lot of information to keep track of, it is essential for critical vendor contracts to be reviewed regularly as part of an effective contract management strategy.

Contracts can be an effective risk management tool, provided you have a firm understanding of the vendor relationship, include all necessary provisions in the contract, and manage and monitor the contract on a regular basis.