As the founder of a law firm and two cybersecurity firms, my clients often reach out to me to manage technology contracts that have cybersecurity and privacy implications. My clients span the small with minimal processes to larger firms with Chief Information Security Officers (CISO’s), a separate risk functions, and legal departments. I get a bird’s eye view into the challenges they experience aligning the contracting, security and procurement/diligence functions, as well as trying to manage a consistent framework for enforceable security and privacy obligations.
These challenges can arise due to the lack of subject matter expertise within the legal function, the pressures of expediting the contract process, and sometimes the perception that larger third party providers have the leverage. The security or procurement/diligence functions find that third party providers are generally more open about their security and privacy practices as part of a diligence versus contracting process. While there may be truth to these points, failing to contemplate enforceability for the core security and privacy diligence representations of your critical vendors potentially puts the enterprise at significant risk and runs contrary to the risk mitigation role that legal serves. Moreover, for ongoing third party provider relationships, risks are likely to increase with an expansion of products or services added through addendums and Statements of Work.
With the increasing costs of security breaches and the increasing liability of companies for the security of their extended network (i.e. their vendors) whether under GDPR (General Data Protection Regulation), financial or health regulation, or state law (such as New York Department of Financial Services or NYDFS cybersecurity regulations, California’s Consumer Privacy Act or CCPA), relying on an unenforceable assurance from your third party provider may no longer be acceptable particularly when nonpublic personal information is at stake. Moreover, having a due diligence process that addresses cybersecurity and data privacy concerns but does not integrate with the contracting process will lack the proper mechanisms for enforcement if the most critical diligence findings never make it into the contract. How enforceable is a point in time assessment or response if there is no related warranty or covenant for a third party vendor to maintain the associated controls? Moreover, if your contract actually provides for a generic “reasonable best practices” warranty for security or privacy controls, what does that exactly mean if the core controls you relied upon are not referenced in any enforceable obligation running to the third party provider?
I think most readers will readily accept that contractual commitments to cybersecurity and privacy protections are better than simply having an implied assurance that comes from third party due diligence. The issue, however, generally boils down to implementation. For this reason, organizations should contemplate adopting a framework that is adapted to their environment and would be wise to abide by some simple standards for implementation.
Identify relevant third-party risks. While you can start with a canned list of risks, you ultimately need to adopt one that is right sized and tailored to your company. This list might include vendor data breach, a loss of critical operations, fraud, IT risks, reputational risk (associated with a breach), support issues, etc. but should be more specific to your business. An existing company risk register would be helpful but in the absence of that or something similar, you may want to include in this list: a description of the risk, severity of the risk, its impact, possible response action and current status of the risk.
Identify common scenarios/variables impacting risk severity. Incorporating security and procurement concerns into the contracting process will be streamlined by a standardized framework. That framework should streamline the identification the most relevant organizational security and privacy risks as well as the severity of those risks. Examples include whether the service/product is critical to operations or whether the vendor or other third parties will gain access to, process or store non-public information. Make sure to reference any applicable policies and procedures to ensure that they are being addressed as well.
Legal, security and procurement/diligence functions develop model language. Through a collaborative process that does not have the pressure of an imminent contract behind it, the legal, security and procurement/diligence functions should determine the most important contractual terms that align with the risks by severity of risk. To simplify adoption, these terms should be incorporated into a flexible “Data Privacy & Security Exhibit” which can then be incorporated by reference into agreements, statements of work, service level agreements and addenda as appropriate.
In addition to specific protective provisions, the exhibit should contemplate, in accordance with the variables identified above, the necessity of:
- A contract audit process for strategic suppliers;
- Mitigating action required of the third party provider to address any unique risks identified during the diligence process (e.g., assessment techniques, cybersecurity insurance requirements and coverage amounts);
- Incident management responsibilities;
- Corrective action/remediation obligations;
- High availability and disaster recovery requirements;
- Qualitative and quantitative metrics (e.g. KPI’s, SLA’s); and
- Applicable data security rules and regulations (e.g. FINRA, SEC, CFTC, NYDFS cybersecurity regulations, HIPAA) and data privacy regulations (e.g. GDPR, CCPA)
Make sure to contemplate compliance enforcement and remedies for breaches of the foregoing.
Get buy-in from the stakeholders. Sometimes easier said than done, it is a good idea to advise those who will be impacted by this process early on. Arguably, awareness of the current state of cybersecurity threats and privacy regulation should facilitate this process. As part of coordinating with the stakeholders, make sure that the exception process is also addressed such as, for example, when the business has already determined that a particular third party provider must be used. Irrespective of the pressures in such situations, it remains important that the process for identifying the risks and variables associated with that risk still occurs (even if not contemporaneous) and is documented.
Ensure that the security and diligence consistently identify relevant risk factors for the legal function. Your process should contemplate a workflow for ensuring that the appropriate inputs are provided to the legal function so the appropriate provisions for those risks and variables are incorporated into the data privacy and security exhibit for a third party provider.
Monitoring. The process for third party risk management enforcement should also contemplate:
- Ensure that all new services or products that are subsequently implemented under a prior agreement are required to be incorporated into such agreement pursuant to a mutual written agreement of the parties so that new risks can be addressed.
- Ensure that newly identified risks or closure of old risks is reflected in your list of identified third party risks as relevant, as well as noted in the applicable provider’s file to address upon renewal.
Compliance. The importance of conducting ongoing risk assessments of your third party providers is beyond the scope of this blog, but irrespective of your process your company is going to need to evaluate periodically whether your providers are meeting their contractual commitments with respect to information security and data privacy. While self-attestations can provide some assurance, you can also leverage external reports provided by audit firms and third party assessors (such SOC, SSAE, SIG or other reputable assessment frameworks). You may also contemplate using tools that leverage basic external intelligence to determine whether your providers are experiencing security threats or events that are not otherwise being disclosed to you. Lastly and most importantly, if your provider triggers any alerts as part of your own security monitoring process, you have a duty to investigate.
Consistent Reporting. Most companies have (or should have) a process in place for ensuring that there is a process around contract renewals to consider new threats and risks that are logged in the third party provider’s file along with any developing concerns. For example, the tightening of applicable data privacy regulations might necessitate new commitments when a contract with a processor of personal information is up for renewal. Failure to identify such changes before renewal could jeopardize a company’s compliance. Similarly and perhaps more importantly, if a third party provider has experienced new and relevant risk events, contractual provisions around enforcement may need to be strengthened.
Update the Exhibit. Consistent reporting will allow you to make determinations around both the master data security and privacy exhibit template as well as the exhibit applicable to any third party provider. The emergence of new information respecting the third party provider or your organization should also trigger such changes. Examples include data privacy law requirements (such as GDPR, CCPA, etc), new cyber security and malware threats, data breaches, changes in cyber security trends, etc.
Managing pushback. Despite all our well-intentioned efforts to protect enterprise value by managing risk, at some point there may be pushback from the business even if they have previously bought into the process. In such situations it is, as noted above, important to still document the risks and relevant variables impacting the severity of that risk from the framework you have previously created. Additionally, a decision will need to be made with regards to such risks. There are four potential responses: (i) avoid – refuse to accept the risk; (ii) control or mitigate – change how your company is consuming the third party provider service or product or take additional measures to reduce your company’s exposure to the identified risks; (iii) accept/retain – as noted above, ensure that the agreed to sign-offs are retained and document the acceptance of that risk in the third party provider’s file; and (iv) transfer/share – this involves outsourcing risk to a third party, typically an insurance carrier. Note that when documenting the acceptance of risk the security due diligence results should be included as a possible mitigating factor.
Cybersecurity and privacy regulation have become as critical to address in technology related contracts as confidentiality provisions…but can be significantly more complex. The complexity of regulations and the potential exposures that companies face through their extended networks makes it more important than ever to ensure that third party providers are abiding by their security and privacy obligations. The Data Privacy and Security Exhibit as well as its surrounding process will help to ensure that your third party providers are held accountable for taking the requisite measures to preserve your enterprise value.