Drafting Cybersecurity Requirements Into the Vendor Contract
Ensure your vendor contracts protect your organization.
Learn best practices that should be included in your third-party risk management program to ensure you keep your organization protected from data breaches and other cybersecurity incidents.
You may also be interested in:
Hi – my name is Hershey with Venminder!
During this podcast, you'll learn helpful insights on how to establish cybersecurity expectations when drafting vendor contracts.
Here at Venminder, our team of qualified industry experts includes paralegals, who understand some of the best strategies to reduce cybersecurity risk through a well-written vendor contract.
Cybersecurity Awareness Month is a great time to brush up on some best practices that should be included in your third-party risk management program. You might be wondering what the connection is between cybersecurity and vendor contracts. After all, these are usually managed by different teams!
Well, a vendor contract is one of the most important tools you’ll need to set expectations around your vendor’s cybersecurity practices. Your contract isn’t simply a document about pricing and service levels. It should also include details about how your vendor will prevent and respond to cyber incidents.
- First, let’s talk about setting expectations around breach notifications in vendor contracts.
Not only is this a best practice, it’s also a regulatory requirement for many industries, like healthcare and finance. Third-party data breaches can occur at any time, even if a vendor has strong controls in place like regular security testing and multi-factor authentication. When your vendor is impacted by a data breach, there’s a chance that your data is also at risk, so it’s important that you’re notified as quickly as possible. A breach notification clause requires your vendor to alert your organization after they discover a cyber incident.
In general, you’ll want to suggest a timeline of 24 to 72 hours from the time that the vendor is aware of the incident. However, some situations may justify an even shorter timeline, especially if the incident has a significant impact on your vendor’s operations.
The breach notification clause should also require details about how the vendor will investigate the incident, handle any compromised information, and prevent future breaches. You may want to consider any potential consequences of the data breach, whether it’s early termination of the contract or a temporary suspension.
- In addition to breach notifications, your vendor contract should also include a cyber right to audit.
This essentially means that your vendor is obligated to provide certain documentation whenever you request it. Vendors will generally expect these requests as part of periodic due diligence reviews, but a right to audit clause will ensure that you can obtain documentation at any time.
For example, imagine that you just performed an annual due diligence review, and one week later, your vendor discovered a new vulnerability that was exploited within their system. Maybe your vendor was able to patch this vulnerability quickly and they performed a new round of security testing to ensure that their controls are still effective. You would likely want to review these testing results as soon as possible, and not wait until the next due diligence review. A right to audit clause would allow you to obtain those testing results whenever you ask for them.
- And finally, your vendor contract should provide expectations around data protection measures.
The details of these expectations will depend on your organization’s needs and the type of information that your vendor is handling. This can cover a wide range of areas such as how data should be encrypted or classified, and how your vendor will retain and destroy your data. Other data protection measures include routine security training and testing, backup and recovery procedures, and additional cybersecurity coverage on the vendor’s insurance policy. You should also require your vendor to provide copies of their current information security policy and incident response plans, when requested.
By including all these cybersecurity expectations in your contract, both you and your vendor should have a mutual understanding of several critical areas. These expectations can help avoid misunderstandings or assumptions about how your vendor will protect your data and notify you of an incident. Managing your vendor’s cybersecurity risk is more important than ever and it begins with a detailed contract.
Thanks for tuning in; catch you next time!
Subscribe to our Third Party Thursday Newsletter
Receive weekly third-party risk management news, resources and more to your inbox.