Cyber contracting risks. Managing vendors effectively – Part 2
Part 1 of this series examined a number of Customer "wish list" clauses we like to include in our technology procurement contracts.
This post concludes the series as we work through the remainder of our wish list. The list is by no means exhaustive and will vary for each vendor engagement. Together we hope all of the items are a useful starting point to allow customers to deliver sound technology outcomes for their business whilst at the same time effectively managing cyber risk issues in their contracts.
- Regulatory overlay
Customers who are in regulated organisations will have additional obligations which they will need to pass on to their vendors.
Super funds and financial services organisations in particular have regulatory compliance obligations to meet imposed by APRA, AUSTRAC and ASIC to name a few. For example, financial services organisations outsourcing a "material business activity", will need to ensure they manage APRA imposed requirements by including provisions dealing with audit rights, business continuity planning requirements and limitations on transferring data overseas.
Then regulators are becoming increasingly active in the technology space as they seek to educate and spread awareness of technology related risks. ASIC has come out with guidance on managing cyber resilience. APRA too has weighed in with a recent information paper which looks at the risks associated with outsourcing, including to the cloud.
The Privacy Act applies restrictions in relation to the collection, use and disclosure of personal information. 2014 amendments to the Act added a 'technology flavour' to expressly deal with cyber risks, requiring organisations to prevent "unauthorised access, loss or interference" with the relevant personal information.
Depending on your circumstances, these regulatory obligations will need to be properly reflected in your technology arrangements. Whilst the vendor will not assume responsibility for compliance, (that's your job) they should be aware of the requirements and ensure that the services they provide are consistent with those obligations.
- Technology improvement and refresh obligations
One of the main reasons you outsource technology services to a third party is to obtain best of breed technology, improve your security environment mitigate & minimise any cyber risks, and replace capex with opex.
It therefore makes sense to ensure you have inbuilt and ongoing access to technology improvements as the contract progresses and ensure any improvements in security, products and services are all passed on under the contract.
- Transition in and out obligations
As mentioned under termination obligations in my previous post, transition in and transition out (sometimes referred to as exit management or disengagement) are important rights to have in place.
Data migration activities are often the most critical period of any project from a security perspective and present the greatest risks of data loss or damage. Ensure you have a right to require minimum levels of service and performance during this period and that any fees associated with transition out activities are agreed in advance (or at least the mechanism for setting fees). Unless expressly agreed otherwise, many vendor discounts will fall away automatically during this time and can cause this activity to become extremely expensive.
As your vendor looks to replace your outgoing business with new customers, you should confirm your contract obliges your vendor to cooperate with the new/incoming vendor. This cooperation on exit may include requiring the parties to “play nicely” and provide access to restricted areas or confidential information (within reason).
Be careful too with any clauses limiting the transition out time period. Effective transition may take 6 or even 12 months for a complex engagement, or where you need to go back out to market to procure a new vendor. Many vendors will be keen to move away from their outgoing customers as quickly as possible, and will propose shorter transition periods so be on the look-out.
In our experience, 3 months seems to be a fairly standard offering. Whether or not this timeframe is appropriate will depend on all the circumstances of the particular engagement and the complexity of moving away from that vendor.
- Obligations following a breach event
We regularly see clauses which deal with virus or malicious code contamination, however more often than not, they do not go far enough to cover other security breach events and any resulting data loss, damage or security issues.
Ensure your breach obligation clauses cast the net as widely as possible to ensure you are covered for a broad range of security related issues or breaches, not just one type of event e.g. virus contamination.
In the event a breach occurs and is discovered either by you, the vendor or a third party you will want to act quickly and ensure your vendor is also obliged to do so. It is a good idea to set out a clear procedure in either in the contract or a schedule to it that outlines what happens in such an event and assigns responsibilities to relevant parties in much the same way as you would for a project plan or statement of work.
Such activities can include obligations on the vendor to:
- immediately notify of suspected or actual breach events
- ensure full cooperation with any investigations around the breach
- ensure prompt remedial action
- manage notification to affected third parties etc.
You will also need to consider an appropriate allocation of responsibility. Rights and obligations relating to your termination and transition out obligations may vary depending on who is responsible for the breach occurring.
HINT: Clever customers put the onus on the vendor to demonstrate that they are NOT responsible for a breach in the first instance.
Cyber breaches may take some time to discover so also be mindful that such clauses will need to survive the expiry or termination of the contract.
- Assigning risk - liability clauses
This is where all the action is from a legal perspective and we are aware that many cloud vendors will work on the basis of their standard contracts without much room to manoeuvre (if at all). Remember we are looking at a “wish list here.
In our “wish list” the usual provisions tend to apply, but with a few twists. Consequential loss should be excluded although be careful with the scope of what is in and what is out. For example, be careful to ensure that loss of data is not swept up in a broad exclusion of consequential or indirect loss. Lost or damaged data may be a direct loss and provided you can show causation, overcome remoteness of damage etc you should not be prevented from claiming.
Generally speaking a good approach is to individually identify and include in the scope of your clause those liabilities which you believe should be recoverable, and the types of costs which you would seek to recover in the event of a breach.
Vendors proposing positions which see you recover data from the last available backup are helpful but there may still be a gap between the loss recoverable under the contract and the actual loss or damage occurring. We tend to push for full recovery activities which may include manually re-keying lost or damaged data.
Some vendors will dig their heels in when it comes to loss of data exposure and in such cases you may wish to consider building in a specific clause dealing with data loss and security as well as a negotiating a liability cap for such losses as an alternative. Liability caps vary according to the type of loss. If you are unable to secure unlimited liability or indemnity protection for loss of data arising from a cyber-breach event, at least try and tie the cap to the value of the requested insurance. Alternatively agree a "super cap" which sees data loss fall on the higher side of the general liability cap.
Force majeure
'Force majeure' events are effectively a 'get out of jail free' card that vendors may call upon to reduce or avoid responsibility to perform the services. A genuine force majeure event is one which reasonably prevents the vendor from performing the services e.g. an act of god, natural disaster, war or other third party intervening event etc.
We are now seeing clever customers reworking the scope of force majeure definitions to expressly exclude cyber- terrorist events to ensure that should such an event occur, the vendor is still held to their security obligations.
This trend builds on other force majeure exclusions, that ensures vendors are held to account in circumstances that are reasonably foreseeable in today's environment but may previously have been included as 'force majeure' events such as "cable cuts".
- Cyber insurance cover
Vendors who are seriously operating in the network space should all have cyber cover in place for their customer service activities. Whilst some government contracts will push for $50M worth, most contracts fall within the usual $20M requests that you will see for public liability and professional indemnity cover.
Don't get too cute and ask for the vendor to include cross liability clauses which require that your vendors insurer waive its rights of subrogation or require that you be a co-insured.
Definitely require the vendor to provide evidence of their cover by producing certificates of currency. Don't be fobbed off either by vendors stating that cyber breach events are already covered under their public liability policy. This may be the case in limited circumstances, but a stand alone policy is the better option.
Sony found out much to its surprise (and cost) that cyber breaches were an exclusion under its existing policy framework. Don't make the same mistake with your vendors.Having your own cyber insurance cover is equally important. Here's a useful list of questions you should be asking your insurer.
Final comments
It is important that you view your contracts in the context of the cyber risk you are facing, which adds to the complexity of technology contracting.
Yes the above items are a bit of a laundry list with a combination of "nice to have" and "must have" clauses which may feel like an unnecessary over-complication at the time.
However, given the fundamental role technology plays in most, if not all, business activities, and the significant damage and penalties that may result if a cyber breach does occur, it is important to address and work with your vendors to reduce these risks wherever possible.