Organizations frequently share information—some of it sensitive or confidential—with vendors in their supply chain. But many data breaches, such as Target’s 2013 breach that exposed the financial data of 40 million customers, have resulted from poor cybersecurity on the part of a vendor. While no organization or vendor can ever be completely safe from cyberrisks, contracts are a natural place to address the topic of cybersecurity and establish requirements for vendors to follow to reduce the risk exposure.
Notice and Cooperation Clauses
Any contract with any vendor that involves handling of an organization’s data should include a notice and cooperation clause. This clause should be structured so that, if a vendor suffers a cybersecurity incident, the vendor must notify the organization and cooperate in any forensic investigation necessary to determine the scope of the event.
The contract needs to define “cybersecurity event” or “breach of security” as broadly as possible and should also include definitions for “confidential information” that include personally identifiable information and protected health information of customers and employees, as well as any proprietary or non-public information that will be shared between the organization and the vendor.
Notice is important because some risks associated with a cybersecurity event can be mitigated if incident response plans are implemented in a timely manner. Organizations may also be required by regulatory bodies to give notice of the event. The notice clause should contain specific language including a time period for reporting and a description of to whom the notice should be directed, and be tied back to the defined term “cybersecurity event” or “breach of security.” For example: “Notice is required within 48 hours to the chief information officer of the organization if the vendor has knowledge of or reasonably suspects that a cybersecurity event has occurred.”
The cooperation clause needs to state that the vendor will cooperate with the organization during any investigation necessary after the discovery of a cybersecurity event. If the event involves customer information, it is likely the contracting organization may be ultimately responsible for notifying affected customers. Organizations may also be faced with public relations risks and potential regulatory investigations. The cooperation clause is an important tool to make sure the vendor will help facilitate such investigations.
Cybersecurity Practices and Audit Privileges
When crafting vendor contracts, include provisions that require the vendor to agree to certain cybersecurity practices and that grant the organization audit privileges. Depending on the type of vendor, its access to an organization’s systems, and the type of information shared, the specificity of the cybersecurity practices clause can vary. At a minimum, the vendor should represent and warrant that it will employ security measures for the organization’s information that equal or exceed the security measures for the vendor’s own information. Organizations may also consider asking for the vendor to represent and warrant that cybersecurity practices follow a risk-based compliance framework like the NIST Cybersecurity Framework, ISO’s cybersecurity standards or CIS Critical Security Controls.
Vendors should provide documentation of their information security programs so companies can investigate their level of security and controls. Companies can create a security questionnaire or require independent audit reports that verify this information. Organizations should also consider contract provisions that require updated security reports and penetration testing summary reports.
Cyber Liability Insurance and Indemnification
Contracts must include clauses that reduce the risk of a financial burden in the event that a vendor does cause a cybersecurity incident. As with provisions requiring certificates of insurance for general liability or other coverages, a provision should be added that requests insurance information for stand-alone cyber liability coverage, including the limits available, retention levels and whether the policy form grants coverage for the organization.
Some vendors do not carry stand-alone cyber liability coverage. In this situation, organizations should add a provision specific to cybersecurity events that requires that the vendor indemnify costs related to notification, legal fees, judgments, settlements, forensic experts and public relations efforts. Contracts may also include loss of business income or reputation damage, but vendors will be less likely to agree to these indemnification categories. As a compromise, organizations can consider liquidated damage provisions for loss of business income or reputation damage.
Companies should be careful to exclude cybersecurity indemnification provisions from limit of liability sections that may govern more general indemnification provisions. Typically, such provisions will be capped at a low dollar amount or at the monthly (or multiple months’) fee the organization is paying the vendor. But cyberrisk should be treated separately because, if the vendor causes a cybersecurity event that requires consumer notification, the costs can easily surpass the limits of liability found in most vendor contracts.
In general, organizations must take care when drafting indemnification and cyber liability insurance provisions. As a general rule of thumb, contracts need to include either one or the other. Recent case law has applied “liability assumed by contract” exclusions found in most cyber and commercial general liability policies to exclude cyber coverage if the vendor agrees to pay the damages via contract.
Recent laws and regulations, like the New York Department of Financial Services regulation on cybersecurity, dictate that cybersecurity concerns for third-party vendors be a part of organizational risk management. Companies should assess the cyberrisk of each vendor relationship and endeavor to construct contracts so as to mitigate as much risk as possible.
It is a best practice for organizations to identify minimum security protocols and standards for vendors and judicially apply these standards during the vendor selection and contracting process. Legal requirements for cybersecurity are constantly maturing. Organizations should therefore monitor changes to the law and create risk management processes and procedures to protect their information, especially when contracting with vendors.