Controlling external security: cyber secure contracts
Security concerns can be split into two camps: internal and external. Internal includes all the systems inside the company’s walls that the company or organisation has direct control over. Handling internal security is easier than handling external security because it’s within the company’s domain and control. External is much trickier. External includes outside consultants, outsourced systems, anything in the cloud, and all the things that happen outside the walls of the company.
Everything external is managed by agreements, so the Cyber Security Manager needs to work with legal to include legal text in every contract regarding cybersecurity requirements for every outside vendor. It’s not enough to just say to an external supplier, “Can you be more secure? Can you not take any risks with our data?” That is unenforceable. But when these requirements are written into legally binding contracts and service-level agreements, contractors must live up to the terms of the legal agreement that they signed. So security must be clearly spelled out in a provision in every contract with every external supplier.
For a real-world example, we can look at the payment card industry (PCI) standard. Credit card organisations like Visa and Mastercard require that participants adhere to strict security standards, and they expect those members to require the same of their customers, which are the banks or card issuers, payment processors, and merchants. Then those entities have to require the same things from their customers, and so on. So the chain of compliance and requirements goes all the way down to the last merchant who buys a payment terminal in his or her little shop.
The chain of compliance seems logical enough, but in reality, managing the legal requirements can get very complicated very quickly. Take the case of a major real estate company that had historically used contractors and design agencies to build and renovate buildings. After years of operating one way, a new national security standard came along that said, “You need to require certain things from all the subcontractors who have access to your information, your premises, or your facilities.” Suddenly, all of those small suppliers had to start mandating those same security requirements from all of their subcontractors and employees. It was a huge adjustment.
In the construction business, the list of security standards is huge, with hundreds of requirements. When the various subcontractors and agreements with suppliers are figured in, the situation is even more complex. To further complicate things, the people working in this field—construction companies, design agencies, and architects—generally have no concept of cybersecurity or security standards.
For this real estate company, handling all the new legal requirements was overwhelming and frustrating. They had to send auditors to all the external companies only to learn that they weren’t compliant and probably were not going to be for a long time.
Legal and Security
The cybersecurity manager and legal staff usually get along nicely, though they probably don’t know much about what the cybersecurity manager does. The cybersecurity manager should start by meeting the lawyers in charge of drafting contracts and end user licence agreements to discuss security requirements that should be included within those contracts.
The first thing the cybersecurity manager discovers in these conversations is that not all attorneys understand security. Usually, lawyers and legal advisors specialise in one area of law, like contracts and IPR. But if you ask them about defects in software and vulnerabilities, they have no idea.
This becomes a teaching opportunity for the cybersecurity manager. He might be able to provide the legal team with invaluable support, which they will appreciate. If they have a collaborative working relationship, the cybersecurity manager might see the legal staff coming over to ask for help when they are drafting new agreements for security or compliance.
That’s the perfect time to try to influence the contracts that will govern relationships with outside service providers and suppliers—before the agreements are signed. It’s usually very difficult to fix problems after the agreements are signed. There’s always a cost involved. It’s critical that the cybersecurity manager gets involved in all the new acquisitions and service provider agreements as early as possible.
Whatever the cybersecurity manager and legal do together usually involves creating some sort of contract, as well as a standardised template with set security clauses for different uses. A typical case they might work on together is buying data centre services. The contract should clearly define operational security and services in the agreement when they buy the service. Some of the language can be templated and some of it may require customisation, but it’s a good idea to include right-to-audit to all the templates.
Subscribe To Our Newsletter
Get the latest intelligence and trends in the cyber security industry.
Contracts through the Supply Chain
There is not a single company in the world that doesn’t use some sort of supply chain. Employees have to have cell phones, an ISP, a SIM card, and an agreement to provide a voice service—otherwise, their salespeople cannot make calls. That’s a simple supply chain. But some supply chains are huge. One logistics company we know of used to have 10,000 suppliers for transporting cargo. Other types of supply chains, especially in technology, are extremely complex. Consider all the parts and suppliers that go into making one iPhone.
Most companies work with a variety of suppliers, then those suppliers each use suppliers, and so on. It can be tough to track the supply chain all the way back to the source. Most supply chains are so complex that it’s not realistic for any cybersecurity manager to expect to implement security standards for the whole supply chain from start to finish. In reality, the cybersecurity manager has to focus on just the few that matter most.
Working with the legal team, the cybersecurity manager should focus on the biggest suppliers and audit those agreements. Typically, supply chain contracts last for a few years—at least one to three years. So when each agreement nears its end date, the legal team and cybersecurity manager should work together to see if there’s anything they want to change or add to that agreement. With a three-year deal with a service provider, there is three years’ time to think about what needs to be written into the new contract regarding security.
Making Legal Happy
Clearly, the cybersecurity manager will benefit from a healthy relationship with legal. Legal will too. The lawyers don’t know the security area very well, so the experienced cybersecurity manager might be able to insert a few beneficial tricks into their agreements and agreement templates. Security clauses that make their way into templates will be used across many agreements. The legal team will also be grateful if the cybersecurity manager helps them clear out some requirements from contracts that shouldn’t be in there, clauses that create unnecessary liabilities.
For example, in software development contracts, there’s almost always a clause about fixing significant flaws in the software. If the cybersecurity manager and legal agree that a security vulnerability constitutes a significant flaw, they can put a clause in the contract saying that all vulnerabilities are significant flaws that should be fixed by the service provider. If legal doesn’t have that definition in the contract, it will lead to a negotiation every time there’s a vulnerability found in the software. Who will fix it? Who will pay the cost? An experienced cybersecurity manager can help legal a lot in this regard.
Create Contracts that Get Signed
When dealing with contracts that put liabilities on your company, it can be useful to help the lawyers when they’re reviewing contracts by spotting liabilities that could be removed because they’re not applicable.
Sometimes, it’s quite possible to exclude the liabilities altogether. If it’s possible, our professional advice is to always exclude them. If it costs some money upfront to negotiate this out of a contract, it might be worth the money.
It pays to keep the security language in contracts as beneficial as possible. For example, when purchasing software that’s supposed to be secure, the cybersecurity manager should try to write into the contract that they can conduct third-party audits. If the audit fails, the contract should stipulate that the vendor has to fix it at their own expense.
So much goes into cybersecurity. The cybersecurity manager is working within the organisation to create change, and legal can be a great partner in achieving that goal. Every cybersecurity manager must learn to work closely with the legal team.
Lawyers are not only about contracts, though. They also provide support and insight. If the cybersecurity manager fosters a good relationship with legal, they can rest assured that if they get challenged, they can depend on legal to help defend them.