October is cybersecurity awareness month – and we’re here to lend a helping hand. In this three-part blog series, we’ll outline how you can use LinkSquares to improve your contract management and your cybersecurity posture. No time to waste – let’s go!
Why Contract Management is a Cybersecurity Virtue
In a security advisory, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) recommended that all businesses “review contractual relationships with all service providers.”
That’s because major supply chain attacks -- like SolarWinds and Kaseya -- have exposed hundreds of companies, dozens of federal agencies, millions of individuals, and an untold number of state secrets to illegal surveillance and data theft. And one of your best defenses against similar cyberattacks is contract management.
A supply chain attack is a cyberattack that targets companies that sell you products and services, especially Software-as-a-Service (SaaS) vendors that handle your critical business data. Your cybersecurity may be adequate, but your suppliers might not. If a supplier is compromised, your security can be breached as a follow-on effect. That’s why you should review what sort of security measures your vendors are contractually obligated to provide, and what methods you are entitled to use to verify those safeguards.
And if your company is itself a SaaS vendor, you’d do well to review what protections you owe to your customers, as well as what’s owed to you by your vendors. Upstream mistakes by a supplier can lead to you incurring liability to your own clients.
Security Stipulations to Demand
In the aforementioned security advisory, CISA identified four key stipulations that should be included in all your vendor contracts.
- Guarantees the vendor will use security controls that you, the customer, deem appropriate
Does the vendor use antivirus? Do they honor the principle of least privilege? Have they undergone a SOC 2 Type II audit? Every question you ask in a vendor security questionnaire or request for proposal, you should adapt into your client contract. After all, if you’re going to down-score or disqualify a vendor for failing to use two-factor authentication for all employee logins, you should contractually demand that two-factor authentication (or better) be a guaranteed practice when handling your data or connecting to your systems. Otherwise, you just encourage vendors to lie on their bid documents. Vague phrases like “industry standard” or “generally accepted” security practices are red flags.
- Guarantees the vendor will use appropriate monitoring and logging of provider-managed customer systems
Your vendor can’t defend against events they can’t see, and you can’t audit logs that don’t exist. Uptime guarantees require uptime monitoring. Access restrictions should be verified by access logs. Whatever specific performance metrics you’re paying for, you should be able to verify from a logging system -- both because it helps keep your pricing honest, and because it is the first line of defense in detecting unauthorized or suspicious usage of your systems. This should be guaranteed in your contract.
- Guarantees the vendor will use appropriate monitoring of the service provider’s presence, activities, and connections to your network
Intrusion detection and traffic monitoring are basic necessities of security, but your awareness of network activity shouldn’t stop at the end of your own systems. You should be able to compare your logs to those of your vendors where your network and theirs intersect, so you can attribute access (and intrusions) effectively, and to also ensure that your vendor is keeping their own house in order. Your contract should provide these protections.
- Guarantees the vendor will provide notification of confirmed or suspected security events and incidents occurring on the provider’s infrastructure and administrative networks
You can’t respond to threats you don’t know about, so a very explicit notification window should be a non-negotiable item in every vendor contract. If a vendor is compromised, they should tell you in a matter of days, if not hours. And when they notify you, they should be specific about what type of attack was made, what type of access or data was gained by the attacker, and which specific users and accounts were affected.
We’ll be back next week to discuss where to look for these cybersecurity stipulations in your contracts. Don’t miss it – subscribe to our blog today.
Subscribe to the LinkSquares Blog
Stay up to date on best practices for GCs and legal teams, current events, legal tech, and more.