According to an Opus and Ponemon Institute study, 59% of companies have experienced a data breach caused by one of their vendors or Third Parties — while only 16% claim they effectively mitigate Third-Party risks.
Don’t be a part of these alarming statistics: In order to protect your organisation’s valuable information, it’s critical that you set up the necessary security expectations from the onset of a new vendor relationship. Now, as an increasing percentage of businesses are moving to the remote office model, having these security conversations early on is even more critical — because residential IPs account for more than 90% of all observed malware infections and compromised systems.
Of course, simply telling your new Third-Party partner that you have specific requirements — or asking them to describe the controls they have in place — is not enough. In order to build a strong Third-Party risk management (TPRM) program, you must explicitly define all of your expectations in a legally binding vendor contract.
Common Vendor Contract Mistakes To Avoid
When you first launch a Third-Party risk management program, it can be difficult to know what type of vendor contract language you should establish to protect all the assets in your digital ecosystem. Start off on the right foot by avoiding the don’ts listed out below.
DON’T: Begin a vendor relationship before agreeing to security expectations
Your specific security requirements — and enforceability of those requirements — isn’t something to consider after the fact. Work closely with your legal department to create contract language that guarantees your Third Parties will uphold their end of the bargain when it comes to security performance, monitoring, and remediation. Make sure both sides have agreed to the expectations before you begin your partnership.
DON’T: Use general language
When developing your vendor contract, avoid generalities — like “reasonable security measures” — that offer little to no clarity into the practices you actually expect the vendor to implement. After all, “reasonable” could mean something different to your organisation and the Third-Party in question. Instead of using this type of vague language, refer to specific standards and frameworks you want them to abide by.
DON’T: Forget to consider your vendor’s vendors
Fourth parties, or your vendor’s vendors, have a direct effect on your risk outlook, as well. Don’t go into a new partner relationship without the desired visibility and context into your extended ecosystem. Make sure to add language into your vendor contract that stipulates that all security guidelines that apply to your Third-Pparty vendor also apply to their subcontractors.
Vendor Contract Best Practices To Implement
Now that you understand what not to do, it’s time to go over some contract language you should be sure to include. Here are a few do’s to keep in mind as you begin the process.
DO: Build in specific terms and conditions
Put all your expectations on the table — from how a vendor should handle and protect your data to what they should do if and when they experience a breach that affects your information. Specifically, your contracts should stipulate that vendors must:
- Meet the agreed-upon risk threshold
- Employ ongoing security monitoring
- Respond to your security inquiries
- Notify you about breaches within a specified time frame
- Abide by mandates and timelines for remediation
As a best practice, you should be as specific as possible when outlining time frame expectations. For instance, you may require that vendors inform you of any breaches within 24 hours and remediate any security issues within 48 hours.
DO: Ensure all your vendors have security obligations
Of course, if you’re in the initial stage of contracting work out to vendors, you can make sure all your new contracts include the necessary cybersecurity requirements. But what if you already onboarded some vendors before you put your Third-Party risk management program in place? In this case, it’s critical that you audit your existing terms and conditions. Gather all your current contracts and work with your legal team to evaluate whether there are any instances where your contractual security obligations are lacking or not specific enough. If you find any language that needs to be revised, reach out to the vendor in question about updating the contract to speak to your current expectations.
DO: Outline your continuous monitoring practices
When you onboard a vendor, let your new partner know how their security posture will be evaluated, monitored, and measured throughout the course of your relationship. Make sure to clearly state what your organisation defines as a threshold of acceptable risk — and what your course of action will be if the vendor’s security posture goes below that level. By defining these expectations from the onset, you can ensure that you and your vendor are on the same page when it comes to protecting your ecosystem.
DO: Start your vendor relationship off on the right foot
Don’t let a vendor breach or other incident be the first time you discuss your security expectations with your Third-Party network. By developing specific, enforceable security vendor contract language at the onset, you can protect your critical data — and save your organisation time and effort down the line.
Download the latest BitSight Vendor Onboarding White Paper
Pressed for Time? Then read the Quick Guide
You’re Only As Strong As Your Weakest Link
There’s never a more vital time to start thinking seriously about the security posture of your organisation and the cyber supply chain you rely on. DVV Solutions are here to help with a range of services and solutions proven to improve your ability to assess, analyse and manage more Third-Party cyber and data privacy risk domains. For more advice and information on any Third-Party risk challenge you have:
Call Us: +44 (0) 161 476 8700
Contact Us: Complete our Contact Form, or
Learn more about What We Do
This article was originally published by BitSight Technologies and is shared with their kind permission.