Contracting for cyber security risks for customers

Cyber security is a business imperative, and the reason is simple: the impact of a security breach can be severe. Any approach to cyber security must address each group that has access to the systems and data of a business, such as its customers, providers, affiliates and employees. This article is focused on the cyber security risks for a business when contracting with its service providers.

Factors that affect risk include the type of business the customer operates; the level of access the provider has to systems and data; the data involved (and the sensitivity of the data); the potential impact of security breaches (and data being lost or stolen); and compliance with the applicable regulatory regime. The risk profile may also differ through the phases of service provision, from transition to steady state and finally, exit. The following is a summary of the key cyber security issues to address in the contract for services, which can be tailored by the customer to the circumstances of each deal:

  1. What arose during the customer’s due diligence in relation to the services to be provided and the provider itself which should be covered in the contract? For example, if the provider was chosen because of their compliance with certain security standards, ensure they have a contractual obligation to continue to comply with those standards.
  2. Who has a right to access systems and data?
    • Can access be limited (physically and logically) to provider personnel who have a strict need to access systems and data? Have those personnel been background checked and trained in data security?
    • What is the minimum amount of data that the provider needs to access?
    • How long is access required?
    • Can access be monitored and logged to provide an audit trail?
    • What other access controls can be put in place?
  3. How will systems and data be accessed, both physically and logically? If remote access is to be provided or data is to be transmitted, what additional safeguards can be used?
  4. Be specific about how data can be used and equally explicit about any restrictions on use. What data can be shared or disclosed to third parties and in what circumstances? Ensure the confidentiality provisions in the contract are adequate and aligned to the provisions relating to data.
  5. What data can or must be stored by the provider? What data cannot be stored?
  6. Where will data be stored by the provider? Does this cause any logical or physical security concerns, or regulatory compliance concerns?
  7. How will data be stored? What security standards and controls will be in place?
  8. What protections must the provider comply with in relation to system security (eg anti-hacking software, anti-virus software, application of regular software updates, network security maintenance including firewalls) and storing, processing and transmitting data (eg encryption, especially on removable media or portable technology)? Are the provider’s relevant standards, policies and procedures sufficient, given the harm that could result from a security breach?
  9. Can the customer’s data be segregated from other data? In addition, can a particular data subject’s data be segregated, processed in a certain manner, ported or deleted?
  10. Can the provider introduce hardware or software into the customer’s IT environment, and how will the integration be managed to reduce risks? The provider should be obliged to provide hardware and software free of defects, viruses and vulnerabilities, and to promptly remedy any such issues if they arise.
  11. Include an obligation for the provider to comply with applicable laws, industry standards and guidelines, and changes to the same (with any consequential impact on service delivery methods or other contractual provisions to be agreed by the parties).
  12. The customer should have its own comprehensive and current standards, policies and procedures to cover security and data protection, including policies relating to access, storage, usage and transmittal of data, document retention, employment and HR (including vetting and background checking), IT usage, privacy, and incident management. These standards, policies and procedures must cater for the services being provided and the service delivery model offered by the provider.
    • The provider should be required to comply with the customer standards, policies and procedures as they change from time to time (again, with any further contractual impact of the change to be agreed).
    • Provider personnel should be fully trained in relation to the customer policies and the contract, including any notification and escalation provisions in the event of a breach or cyber attack.
  13. Consider the contractual consequences of a security breach.
    • Ensure there is a requirement on the provider to notify the customer of a security breach within timescales that allow the customer to comply with its regulatory or contractual notification requirements.
    • Consider also the controls the customer requires over any notification of a security breach to regulatory authorities or other third parties.
    • Include express provisions relating to the co-operation and support to be provided by the provider in the event of a security breach in order to contain a breach and its impact, to recover or restore any data (eg roles and responsibilities of a security breach team that the provider will make available to support the customer), and to enable the customer to comply with its obligations under regulations.
    • Require the provider to prepare an incident response plan that the parties can implement if a security breach occurs.
    • Include rights to remove provider personnel for violations of the contract. Consider also whether rebates or credits for a failure by the provider to comply with the contract terms may encourage compliance.
  14. Consider whether liability is capped or excluded in relation to a data security breach. Are regulatory fines stated to be a direct loss and recoverable without limit?
  15. Ensure the customer has adequate rights to terminate the contract (including express rights to terminate for breach of the data security and confidentiality provisions, or more specific obligations where necessary) and claim damages.
  16. How will data be returned or deleted? Equally, is data retention a requirement in any circumstance, and if so, for what period? How will equipment and materials be destroyed? How will shared technology be disconnected?
  17. Allocate responsibility for cyber and privacy insurance with coverage and limits that are appropriate for the services provided, and the potential impact of breaches.
  18. Add provisions that require regular review of the provider’s compliance with the contract, including through reporting and governance meetings. Ensure the contract and related policies and procedures are maintained to address new cyber threats, the available protections and changes to laws and industry standards.
  19. Include rights to audit the provider’s compliance with the contract. Audits and risk assessments should be carried out regularly and the robustness of policies and measures (both logical and physical) should be tested periodically.

In summary, the customer needs to assess and address the risks of each service arrangement independently so that the resulting contract provides adequate protection for the customer. And as mentioned in the introduction, there are many constituent pieces of the cybersecurity jigsaw. As one jigsaw piece changes, the customer must review all other moving parts to ensure the customer maintains a comprehensive and cohesive approach to cyber security.