As negotiators for clients who buy software, hardware, consulting and licensed services, both directly and in the cloud, we are often called upon by our clients to help ensure their vendors are employing adequate protections for our clients’ confidential information. Now more than ever it is essential that technology vendors not only keep their own information safe, but contractually commit to take the specific steps necessary to protect client information against third party attacks.
Crafting these specific steps can be controversial and time consuming unless clients prepare a comprehensive written approach to vendor cyber-security in advance of a contract negotiation. In our experience, starting with a minimum benchmark policy universally applied puts the client in the driver’s seat and has been met with great success. Negotiating for additional restrictions for specific vendors above the baseline is much easier when starting with a universally applicable policy document. Drafting a core policy that is prescriptive enough to be effective, but not so burdensome that it results in weeks of additional negotiation or a plethora of exception requests is a challenging task, but one worth the effort.
In our experience, a balanced and specific information security addendum that is attached to all vendor agreements is the most efficient approach. When well crafted, they are generally acceptable to most vendors and can be accepted without adding additional time to the negotiation process. Such an addendum should have four key PARTs:
Vendors need to implement industry standard or better administrative, technical and physical safeguards to protect the confidential, proprietary or personal information contained within their systems. These safeguards range from multi-factor authentication methods to advanced firewalls and data encryption (both in transit and at rest). Measures to ensure data reliability and integrity also fall within this topic such as segregating client data on dedicated hardware systems when feasible and implementing physical access controls over facilities where data is stored. The critical component to an addendum is to tailor the methods required of vendors to the approach taken by the client.
Requiring vendors to use independent third-party experts to assess their critical infrastructure and systems is key to a client gaining a clear understanding of how seriously a vendor approaches information security. It is easy to talk a good talk, but an SSAE 16 Type II (SOC 2) or equivalent audit covering the vendor’s systems and internal controls provides the kind of comfort many clients are now insisting on, especially in the financial services industry. Clients with more robust information security infrastructure may also include provisions in their information security addendum that grant the client inspection rights or the ability to require additional agreed upon audit procedures.
Even the best defenses can be breached, so vendor processes and systems should include not only how they will respond to a breach, but how they will inform clients when becoming aware of any actual or suspected unauthorized access to client information. Clients should clearly articulate the kind of responsiveness and involvement they need in their information security addendum. Issues about how quickly the vendor must inform a client of a breach, or about who controls the messaging about the breach to the client’s users, customers, and the public are critical. This is especially important in light of the recent Cybersecurity Requirements for Financial Services Companies adopted by the New York State Department of Financial Services (23 NYCRR 500) and the 72-hour reporting requirements that begin August 28, 2017. While we see the public reporting of issues as an area still in flux, we do see the enhanced reporting obligations as a foretaste of things to come. The public deserves to know when their data has potentially been compromised and those that get out in front of response cycles will be the ones that engender public trust in the future.
Vendors who take cybersecurity seriously will show their commitment through a comprehensive independent third-party testing program that may include continuous monitoring programs, annual penetration testing, or both. A regular testing regimen is essential since changes to systems or network environments, failure to apply security patches or changes in unrelated processes can create vulnerabilities not captured by the audit or other protective measures described above. Requiring vendors to provide clients with test results and mitigation measures, or requiring vendors to participate in coordinated client tests are items to consider including in the information security addendum. While requiring the use of “White Hat Hackers” to conduct penetration testing is now commonplace, it is the re-testing to ensure that identified vulnerabilities have been eliminated that makes the “it takes one to know one” concept an effective defense. With all the available testing alternatives, clients may be tempted to set the bar unreasonably high, but the key to keeping negotiations simple is to focus the contractual requirement on the tests a client actually uses on their own systems. Vendors will generally understand that if they want to do business with the client they need to live up to the standards the client lives by in their own business.
A standardized information security policy that addresses each of these four areas will move vendors much closer to a comprehensive alignment with your company’s information security needs. Quadrant team members are available to design and implement a tailored Information Security Addendum that is both detailed and commercially practical.
Contact: Robert Ming, Managing Partner, firstname.lastname@example.org, 949.443.3626