Data Privacy / Cyber Risk - How to use contracts to manage it better?

Amit Sharma
June 14, 2022
2 min read

How to manage Cyber Risk effectively using right contract language?

You're only as strong as your weakest link. In this article, we discuss the risks that 3rd parties pose and complexity that arises due to evolving regulatory environment, and role of careful contracting in managing them.

Usually, data incidents originate with a vendor whose security has not been validated, due to a weak contract.

Vendors are typically the target of cyber attacks because they often possess valuable data from multiple clients. If you look up the recent history of cyber attacks, it is replete with vendors / providers in Healthcare, BFSI & cloud service providers space. In many cases, the customers of these vendors / providers suffer reputation and financial damages because the end consumers usually hold them liable.

It is crucial for security and privacy leaders to monitor and update contracts with third-party vendors to protect their organizations from data breaches.

In the event of a cyberattack, it becomes critical to know how your data may be at risk and what legal mechanisms your organization has to inspect third parties’ security or minimize liabilities. Then, there is a concept of "n-th party" risk – the third parties of your third party, or their third parties, etc.

Do you know who your third parties are? What type of data your third parties have access to? What practices your third parties employ in their enterprises? What third parties your third parties rely on to provide the service you use?

Beyond 3rd parties, there is an alphabet soup of data privacy regulations and agencies to deal with.

  • Within US - state wise data protection & data breach notification laws
  • Internationally - almost every major economic bloc / country have their own data privacy framework
  • Sector specific legislation (HIPAA, GLBA, etc.)
  • Number of different enforcement agencies and their requirements (State AGs, State DoIs, DoJ, SEC, FTC, OCC, CFPB, etc.)

If you're the privacy officer of a large national or a global firm in industries like Healthcare, Insurance or Banking, you need a robust system to review and monitor contracts diligently to ensure your organization and its partners need to comply with nuances of evolving requirements.

So, what role do contracts have to play in all this?

Typically, you manage cybersecurity risk through a combination of three approaches:

  • Eliminate: usually its nearly impossible or economically unviable to completely eliminate risk
  • Transfer - typically using insurance (cyber insurance policies)
  • Mitigate - where careful contract drafting, negotiations & tracking comes in. When selecting vendors and writing contracts, it’s important to address cyber issues, liability and indemnification.

The key clauses which address these issues are:

  • Liability and Indemnification
  • Notice and Cooperation Clauses
  • Cybersecurity Practices and Audit Privileges
  • Cyber Liability Insurance and Indemnification
  • Emerging Regulations
  • Force Majeure

Each of these clauses is mechanism to manage the cyber risk. We will get into details like sample language, preferred inclusions / exclusions, coverages, relationship with 3rd parties, etc. - for each of these in later posts.

However, the story does not end at carefully articulating the clauses and managing risk using conservative approaches. Companies good at this are tracking the obligations for themselves and their 3rd parties (as defined in contracts and regulatory guidance) diligently using various tools (AI, Dashboards, etc.). These tools ultimately generate insights for CFOs around risks existing in each transaction and the overall portfolio.

Get in touch with us if you’d like to discuss how we’re helping our clients manage cyber risk in their contracts.

More Like This

Day 3 of 20 - Contract Summaries using Generative AI

Here, we discuss one of the most powerful application of Generative AI to contracts - summaries. From generic summaries to term summaries to custom summary templates, learn how to leverage LLMs to assist you.

Read More

What is an Intelligent Contract Repository and what are its benefits?

Key needs in contract management include locating all your signed contracts and being able to query them quickly. In this article, we discuss how an Intelligent Contract Repository helps you achieve both these goals

Read More

Day 2 of 20 - Contract Risk Analysis using Generative AI: Force Majeure

How Generative AI can be use to perform rigorous Contract Risk Analysis. In this example, we discuss a technique called as 'Chain of Thought' (CoT) to illustrate how LLMs can perform reasoning tasks in contracts.

Read More