All I need is a contract to manage my vendor security risks, right?
You have a standard contract that includes cyber security language to protect your company’s systems and data. You have a contract management system that tracks agreements with your vendors. You should feel comfortable that your vendors are accessing your systems and handling your data in a secure manner, per the contract language. And yet…
You can never know for sure what happens with your data once you share it with vendors. Sharing data with vendors has risks that can lead to breaches and lawsuits. Generally, you have two tools with which to protect your data: contract language, and contract enforcement.
Contracts with vendors may include standard language about privacy and security. Data privacy and data security contract terms may be written by procurement, legal or cyber security personnel and intended for general inclusion in any contract. The language may be vague and difficult to understand and, more often than not, standard security language in contracts usually only cover minimum security protections.
During contract negotiation standard privacy and security language is sometimes “red-lined” as being not applicable to the services provided by the vendor or not practicable to implement. If the security provisions of the contract cannot be implemented by the vendor, you should look for another vendor.
Removal of security provisions in a contract because the services provided by the vendor do not require protection is a classic case of not “future proofing”. Standard security language needs to be included in any contract because services provided by the vendor may change, but the contract may not. This may lead to having a vendor that has your sensitive data without any legal protection.
After a contract is signed there is usually a sigh of relief. Verification and enforcement of the contract terms is something that is “down the road” or something that someone else will be doing. There are two principal barriers to contract verification.
Resources. Verifying that cyber security contract provisions are in place and operating effectively is time-consuming and requires resources with experience in cyber security and a knowledge of cyber security contract language. Cyber security, Legal, Procurement and IT departments are chronically resource constrained. Identification of high-risk vendors and verification that contract terms are in place is something that usually only occurs after a breach.
Vendor Management. Most vendor management systems track contract start and end dates, and other technical aspects of managing contracts. These systems are often designed for Procurement departments and may not include any information about vendor risk assessments or cyber security audits performed. You must know your vendor risk landscape from a cyber security perspective to know where to begin with enforcement.
Assuming that all your vendors are following contract terms meticulously is very risky and not justified by the many security incidents that are traced to vendor security failures. You should review your vendor portfolio by checking any security certifications (SOC, ISO, PCI, etc.), identifying which vendors are high risk and prioritizing high-risk vendors for additional effort concerning their security.
Verification and risk assessment of vendors is time-consuming and requires resources with knowledge and experience with cyber security and contract terms and conditions. Such verification should only be done where justified by the risk.
3FACTOR Vendor Risk Management services can help you to understand your vendor risk landscape using a risk-based framework that is practical and proven.