Episode 4: Contracting and Cybersecurity

In this episode, we're going to be sharing our top tips for contracting to mitigate against cyber risk in your supply chain and making sure you're appropriately protected if it does go wrong.

Supply chain attacks where the target organisations supplier is used as the attack vector are becoming increasingly prevalent. Remember, your supply chain is only as secure as its weakest link.

Mitigating against the breach is always the best course of action. Your first port of call should be to diligence your supplier security policies and breach track record. This should involve operational, digital and physical controls in each area. Using a supplier that has independent third-party accreditation such as ISO 27001 will shortcut some of this work.

If your suppliers will be accessing your premises or systems, you'll want to make sure that they're complying with your policies and procedures when doing so. However, it's equally as important to make sure that the suppliers own systems are subject to adequate controls, particularly when those systems will be used to process or store your data or to access your systems.

Contracts should clearly define responsibility of security and what is in and out of scope. Supplier responsibility should reflect the key areas explored in your technical diligence. Annual testing and audit rights can help ensure that security is front of mind for your suppliers.

Security obligations should extend to all confidential information, not just personal information. This is an oversight we see regularly. And you'll want to make sure that no other provisions in the contract effectively cut across the supplier's security obligations, for example force majeure clauses or any other provision where the supplier excludes liability for third party actions.

Where appropriate, ensure that your supply contracts give you the right to monitor and enforce security compliance a pattern of small incidents can lead to a major cyber event if action is not taken promptly.
Contract risk and value aren't necessarily correlated, especially when it comes to security events, as such, a supplies liability being tapped at annual value may not be appropriate a higher cap or uncapped liability may be required.

Obligations requiring the supplier to notify your security events with appropriate timeframes that enable you to also comply with your own notification obligations should be included and remember that you may be required to disclose information about the suppliers role in the cybersecurity event. So you'll want to make sure that the confidentiality provisions included in the contract don't present any speed bumps or roadblocks to making those disclosures.

For larger, scale strategic sourcing contracts, define how the parties will work together in the event of a major security incident and involve your suppliers in your planning testing and simulation activities. This should be dovetailed into BCDR obligations and response and resolution service levels.

That brings us to the end of our cybersecurity edition of the digital download. We hope you've enjoyed it and picked up a few tips along the way. Thanks for joining us.