How to manage Cyber Risk effectively using right contract language?

‍

You're only as strong as your weakest link. In this article, we discuss the risks that 3rd parties pose and complexity that arises due to evolving regulatory environment, and role of careful contracting in managing them.

Usually, data incidents originate with a vendor whose security has not been validated, due to a weak contract.

Vendors are typically the target of cyber attacks because they often possess valuable data from multiple clients. If you look up the recent history of cyber attacks, it is replete with vendors / providers in Healthcare, BFSI & cloud service providers space. In many cases, the customers of these vendors / providers suffer reputation and financial damages because the end consumers usually hold them liable.

It is crucial for security and privacy leaders to monitor and update contracts with third-party vendors to protect their organizations from data breaches.

In the event of a cyberattack, it becomes critical to know how your data may be at risk and what legal mechanisms your organization has to inspect third parties’ security or minimize liabilities. Then, there is a concept of "n-th party" risk – the third parties of your third party, or their third parties, etc.

Do you know who your third parties are? What type of data your third parties have access to? What practices your third parties employ in their enterprises? What third parties your third parties rely on to provide the service you use?

Beyond 3rd parties, there is an alphabet soup of data privacy regulations and agencies to deal with.

• Within US - state wise data protection & data breach notification laws
• Internationally - almost every major economic bloc / country have their own data privacy framework
• Sector specific legislation (HIPAA, GLBA, etc.)
• Number of different enforcement agencies and their requirements (State AGs, State DoIs, DoJ, SEC, FTC, OCC, CFPB, etc.)

If you're the privacy officer of a large national or a global firm in industries like Healthcare, Insurance or Banking, you need a robust system to review and monitor contracts diligently to ensure your organization and its partners need to comply with nuances of evolving requirements.

So, what role do contracts have to play in all this?

Typically, you manage cybersecurity risk through a combination of three approaches:

• Eliminate: usually its nearly impossible or economically unviable to completely eliminate risk
• Transfer - typically using insurance (cyber insurance policies)
• Mitigate - where careful contract drafting, negotiations & tracking comes in. When selecting vendors and writing contracts, it’s important to address cyber issues, liability and indemnification.

The key clauses which address these issues are:

• Liability and Indemnification
• Notice and Cooperation Clauses
• Cybersecurity Practices and Audit Privileges
• Cyber Liability Insurance and Indemnification
• Emerging Regulations
• Force Majeure

Each of these clauses is mechanism to manage the cyber risk. We will get into details like sample language, preferred inclusions / exclusions, coverages, relationship with 3rd parties, etc. - for each of these in later posts.

However, the story does not end at carefully articulating the clauses and managing risk using conservative approaches. Companies good at this are tracking the obligations for themselves and their 3rd parties (as defined in contracts and regulatory guidance) diligently using various tools (AI, Dashboards, etc.). These tools ultimately generate insights for CFOs around risks existing in each transaction and the overall portfolio.

Get in touch with us if you’d like to discuss how we’re helping our clients manage cyber risk in their contracts.

‍