Cracking Cybersecurity Consulting: How do we protect ourselves throughout the consulting agreement?
Seventh article in a 12-part series on “Cracking Cybersecurity Consulting”
There are two ways to protect yourself from your vendors:
1) Through internal controls; and
2) Through the contracts themselves.
A due diligence process that addresses cybersecurity and data privacy concerns but is left out of the contracting process will mean that you lack proper mechanisms for enforcement and self-protection.
The actual consulting agreement is a vital part of setting up the proper protections for interactions with this new third party. A consulting agreement should include:
1) Definitions: Define key terms related to the cybersecurity consulting relationship. For example:
a. Confidential information;
b. Personally Identifiable Information (PII);
c. Security Incident; and
d. Data Breach.
2) Performance: Consider how the description of a product or service to be delivered by the vendor implicates information security. Also consider your responsibilities as the purchaser, whether stated explicitly or imposed implicitly by the limitations of the vendor’s product or service.
a. Third Parties: In considering performance, think about who will produce and perform the services. For example, will anyone other than the vendor (e.g. affiliates, subcontractors, downstream vendors, or suppliers) perform the service? You need to consider what steps will be taken to monitor the roles of third parties. For example, you might review the consultant’s vendor management program or require direct access to the downstream vendor for review and monitoring as well as being identified as a third-party beneficiary of subcontracts.
3) Confidentiality clause: Make sure that the proprietary information that is being shared stays between your organization and the consultant. Generally, confidential information should be used only as necessary to perform the service, provide the product, and administer the agreement.
Recommended by LinkedIn
4) Record ownership: Be very clear on ownership of records between parties. What records, data, information, and analytics will the vendor create during the term of the contract and who will own them? Who will have access to those records? Does the vendor intend to make any secondary usage of such data, information, or analytics? Where will those records be located?
5) Explanation of services rendered: Ensure that the scope of the project discussed appears clearly on paper and not just in your verbal agreements.
6) Incident notification clause: Both parties have a stake in containing incidents and mitigating adverse impacts. There should, however, be an added provision for defining an “incident” and setting the timeline for communication to either party. When and if data is being shared, make sure the notification clause allocates liability for direct costs of the incident when personally identifiable information (PII) is compromised.
7) Insurance: Consider cyber risk insurance coverage from both the vendor and the purchaser perspectives.
8) Indemnification: The agreement might include both general indemnification and indemnification for loss of information (similar to the notification clause but focused on associated costs instead of communication).
9) Limitation of liability: If the agreement will include limitations of liability, consider carve-outs or separate caps for indemnification of third-party claims. This can be particularly important for claims based on information loss, costs associated with security and data breaches, IP infringement, and remediation costs associated with vulnerabilities and incidents.
10) Termination: Make sure your agreement details what acts, omissions, or conditions give rise for either party to terminate the consulting agreement. There has to be a way out of the contract for either party.
While this is not an exhaustive list of clauses to build into your vendor agreement, it will help you make sure you are protecting yourself from cyber liability.
After you have an agreement in place, you can then focus on the next stage of protection: internal controls. Our next article will explore how to protect your assets with internal monitoring and access controls.
For more information and to discuss the consulting services that are right for your organization, contact Violet Sullivan, Esq. CIPP/US, Cyber Security Consulting Practice Manager, 760-916-4477 or email vsullivan(at)eplaceinc.com.
Business Consultant | 🚀 Driving Sales Excellence & Market Leadership | 💡 Crafting Winning Strategies for Rapid Growth | 🌏 Architect of Global Expansion Initiatives
3yYes. Thanks for spelling it out like this. A great reminder to not only discuss ahead of time, but also to include certain terms in the contract before moving forward.
Creative Director and Marketing Manager at Pariveda
3ySuch great and insightful advise. I love this series!