As cybersecurity has become one of the most important strategic imperatives for the enterprise, concerns about how third-party IT services providers are protecting corporate data have grown. As a result, negotiation of cybersecurity and data privacy issues has become one of the most challenging areas in IT outsourcing contract negotiations, says Rebecca Eisner, partner in the Chicago office of law firm Mayer Brown.
“Suppliers are understandably concerned about not paying damages that are disproportionate to the revenue received, and therefore seek to limit or disclaim their liability,” says Eisner. “Customers are equally concerned, particularly where suppliers do not have the same incentives to protect customer data as the customer, and because the negative impacts of a security incident are generally far more significant to the customer than to the supplier.” What’s more, the cybersecurity regulatory environment is rapidly evolving, making it difficult for both sides to access the risks.
The increasingly complex and geographically dispersed IT environment also complicates matters. When company data lived within one or more central data centers, it was much easier for companies or their suppliers to secure the perimeter, firewalls, physical security and controlled logical access. Today, data is scattered among data centers, clouds, and mobile devices, for a start. “The points of access and potential points of security failure multiply with this ever expanding ecosystem,” says Eisner. “In addition, many of these systems are provided or managed by third party suppliers.”
For those reasons, CIOs must take a risk management approach to selecting, contracting with, and monitoring their company’s IT service providers. There are six steps IT leaders can take to strengthen data privacy and cybersecurity protections in their IT supplier relationships, according to Eisner:
1. Understand which suppliers either process or have access tot the company’s most sensitive personal or regulated data, and data that represents the “crown jewels” of the company.
2. Collaborate with the company’s security, vendor management, and legal teams to determine which supplier relationships create the highest risks for the company in order to focus the appropriate level of attention and resources on that group of outsourcing providers.
3. Take a look at existing IT service provider agreements through the lens of your company’s up-to-date and well-defined cyberscurity and data privacy requirements. Amend those contracts to close any gaps.
4. Make sure that IT’s vendor management, compliance, or security team is monitoring high-risk suppliers, including updating vendor security assessment questionnaires on an annual or bi-annual basis; reviewing audit reports, certifications, and penetration tests; and, where appropriate, conducting site visits and annual security reviews.
5. Review the company’s standard security and privacy contract terms regularly with legal counsel to ensure that those baseline requirements are kept up to date. “This is particularly necessary due to rapidly evolving privacy regulation in the U.S. and around the world,” says Eisner. For example, the new European General Data Protection Regulation set to take effect in 2018, will require operational, policy, and contractual changes regarding the processing and transfer of EU personal data.
6. Take the time to educate the company’s board of directors, officers. and employees about security and privacy risks, including those risks associated with third-party relationships, and help them to understand that the steps they can take to mitigate them.