I live in the UK and recently there has been (another) data breach in a large corporation, which has lead to another flabbergasted CEO to do countless interviews to apologize for the breach, try to explain what happened and make assurances that it will never happen again at their company. Hopefully for them and their customers this is an isolated incident, but the reality is that there will be more and not less attacks. Digital Transformation is great and needs to happen, but as with all advances in technology, there are new advances in criminal activity to match.
This latest breach has also lead to more people asking me what can be done. I think this is just because people tend to believe that lawyers are either the cause of or solution to most problems. Now, I am not a Cybersecurity expert, but I do know how proper contract management can address the risks in this brave new world and solve some problems.
Cybersecurity is not necessarily a new problem, but it has become more of a hot topic over the last couple of years. Unfortunately, most companies have not contracted with their customers, vendors or supply chain to address these issues or if they have, they don’t have an immediate grasp on the liability and risks to customers or with their partners.
We all know that the “hackers” are out there and we need the best technology to limit the exposure. But very few companies know exactly what this means in terms of liability with their customers or what the potential impact might be on their organization if someone down the supply chain suffers a breach. This is why we recommend a baselining exercise to assess not just the technical risk, but the contractual risk as well.
So once we have a firm understanding and definition of the contractual risk we can start doing something about it. If the right audits, security requirements, reports and responsibilities are not in the vendor chain, we recommend an attack plan of novating or amending policies with the right communication and implementation of those changes. On the flip side, companies need to look at the customer liabilities and make sure their policies and terms are clear so that the liabilities and actions are clearly defined and expectations are set. Furthermore, the “best” clauses should be identified, saved and incorporated into templates.
All of this can be a massive effort on “paper” and most companies don’t have the in-house capabilities to handle this. We do.
Now that we have diagnosed the problem and prescribed some treatment, we must monitor these obligations in the contracts while making sure there is evidence to show the company is compliant and all vendors are following the terms. We also recommend keeping some deep dive analytics tools around to continually optimize the process.
With some simple steps and clear actions a best practice contract management system can help and minimize the risk and consequences of a potentially damaging Cybersecurity breach.