How to build cybersecurity into outsourcing contracts

Any time a company shares data or provides access to third-parties, it increases its vulnerability to unauthorized access or breach. So in today’s IT environment in which enterprises partner with multiple IT service providers, who in turn may have multiple subcontracters, cyber risks increase exponentially.

“Customer data and systems are only as secure as the weakest link in the vendor ecosystem,” says Paul Roy, a partner in the business and technology sourcing practice of Mayer Brown. “The risks for customers are twofold: not only does the customer increase its risk of a data breach, it also increases the risk that it will be in breach of its regulatory or contractual obligations if its vendors fail to comply with such obligations.”

CIO.com talked to Roy and Lei Shen, senior associate in the cybersecurity and data privacy practice at Mayer Brown about the potential impact of security incidents arising from IT outsourcing or cloud computing engagements, the shortcoming of cloud computing contracts with regards to customer cyber risk protection, the key contractual provisions for mitigating these risks in an evolving regulatory landscape, and the importance of ongoing review in this rapidly changing area.

CIO.com: What are the potential consequences of cyber security failures with third parties, like IT service providers and cloud computing vendors?

Paul Roy, partner, Mayer Brown: The consequences of a cybersecurity failure can be substantial. They include the expense of remediation and notification, damage to the brand, loss of sales, management disruption, regulatory sanctions, shareholder derivative suits and other lawsuits, and other collateral damages. The customer remains ultimately responsible for these risks, even if its vendor was the source of the security failure.

CIO.com: Is cyber risk adequately covered in standard outsourcing or cloud contracts?

Lei Shen, senior associate, Mayer Brown: To adequately cover cybersecurity risks, the standard outsourcing contract has to include clear technical and legal compliance requirements and the right for the customer to monitor and otherwise verify the vendor’s compliance with such requirements.

To align incentives, the contract should make the vendor liable for the costs of breaches that it or its subcontractors cause, including the costs of notification, remediation, fines and similar costs. Well-crafted standard outsourcing agreements should contain these types of protections. However, the contractual protections are only adequate when combined with effective oversight and enforcement by the customer.

The adequacy of cloud contracts to protect against cyber risk is more complicated. On the one hand, a cloud service can inspire customer confidence in a cloud vendor’s well-established and hardened security. On the other hand, cloud contracts often fall short of a customer’s compliance requirements for sensitive data, particularly if the customer is in a regulated industry.

Customers must perform a gap analysis between the vendor’s offering and the customer’s requirements to identify gaps and determine whether they can be covered by either party. In addition, narrow limitations of liability—frequent in cloud contracts—can warp the incentives for protection against cyber risk. While there has been a significant growth among sophisticated cloud vendors who are able to address their customers’ data protection and compliance requirements, there is still substantial variation among cloud vendors’ ability to adequately address such requirements.

CIO.com: What are the key contractual provisions for mitigating these risks?

Roy: The key contractual provisions to mitigate cyber risk are: (1) the security standards required of the vendor; (2) restrictions on subcontracting; (3) employee related protections, such as background checks and training; (4) security testing; (5) security audits; (6) security incident reporting and investigation; (7) data retention and use restrictions; (8) customer data access rights; and (9) vendor liability for cyber incidents.

Many of these contractual protections come with limitations. Since vendors must maintain consistent internal security standards, especially in a cloud setting, they may have limited ability to customize such standards to meet a customer’s unique requirements. However, the key for customers should be the adequacy of the protection, not the specific means for achieving that protection.

Cloud contracts typically include additional limitations on these types of provisions. For example, in a standard outsourcing agreement, the customer typically has the right to approve subcontractors, whereas cloud vendors have pre-existing subcontractors that are subject to change without customer approval. The key protections for customers in that circumstance are the assurances that security provisions are flowed down to subcontractors and that the customer has the right to periodically obtain a list of those subcontractors, especially if such a list is required by applicable privacy laws. Similarly, a standard outsourcing agreement often contains the right for the customer to conduct security audits, but cloud vendors typically do not permit physical audits of their facilities. The absence of this right can typically be satisfied by third party compliance audit and certifications.

One aspect of cloud contracts that is sometimes overlooked is the restriction on secondary uses of the data by the vendor, including aggregated or anonymized data. From a purely commercial standpoint, this secondary use right can mean substantial value to the vendor and corresponding loss of value to the customer. From a cybersecurity standpoint, any retention of data by the vendor risks re-identification of the data, thereby increasing the risk of security failures. In addition, a vendor’s retention of inadequately de-identified data may also run the risk of violating certain privacy laws.

CIO.com: What existing regulations around third-party cybersecurity risk should IT outsourcing customers understand?

Shen: There is a patchwork of regulations in the U.S. across industries and states. At the federal level, they include Gramm-Leach Bliley, HIPAA, SEC requirements for public companies, and FTC requirements. In addition, some states, such as Massachusetts, have their own data protection requirements. The common thread of all of these laws is the requirement that companies take “reasonable and appropriate measures” to protect their data, including care in the selection and oversight of third party vendors.

The European Union has more consolidated and stricter privacy legislation that generally imposes higher standards of data protection than in the U.S. In addition, the new EU privacy regulations that were recently introduced impose additional limitations and much higher penalties for companies that fail to comply. Companies would be well advised to become informed of the upcoming changes in the EU data protection regulations. Many other countries outside of the EU, such as South Korea, also have strict requirements for data protections.

CIO.com: How can customers build flexibility into their contracts so that they remain protected in an evolving regulatory and cyber risk landscape?

Shen: The regulatory landscape has evolved and will continue to evolve for the foreseeable future. Outsourcing agreements should include a requirement that the vendor implement changes as needed to adapt to regulatory changes. Where these regulatory changes are specific to the customer, it is reasonable for the customer to be responsible for the incremental costs incurred by the vendor to adapt to those changes. If a cloud vendor refuses to commit to adapt to changes in a customer’s regulations, the customer should at least retain the option of exiting the arrangement.

This story, "How to build cybersecurity into outsourcing contracts" was originally published by CIO, April 6 2016.