One size does not fit all and the wrong drafting of a contract can leave you exposed to risk the supplier should be carrying. The effect on service delivery should always be considered and is arguably more important than getting the words right in the draft contract within the Invitation to tender.
Cyber risk is never far from the top of most organisations strategic risk register, but we are still to see a common approach to the way the public purse manages cyber risk within contract other than standard clauses regarding the movement of data outside of the UK.
James Wall, Associate Director, Technology & Cyber Practice at Gallagher says: “Rather than steering the conversation with a potential supplier from an insurability stance, I would advise on engaging them in a ‘health check assessment’ discussion.”
With this in mind, James has offered 5 top tips to help you better manage the cyber risk within your contracts:
- Define security requirements linked to the criticality of the service being procured: As a first step, it is important to understand how critical the supplier’s offering will be to your business. Usually this can be assessed using a business impact analysis or interrogating what impact disruption to the service offering could have based on an internal risk matrix. The higher the criticality, the more focus there should be on security requirements and the lower your risk appetite should be.
- Ensure the potential supplier completes a security questionnaire based upon an internationally recognised standard: Most suppliers will be able to provide information on their compliance to ISO 27001, the NIST framework or CIS controls, however it’s important that you push to get information on the types of controls in place at the supplier, to satisfy yourself that they meet your standards. This is not always possible, particularly with ‘one to many’ suppliers such as AWS, Oracle etc., so instead it is important that you receive evidence of accreditation to a security framework. Some suggested control questions requirements ae provided below as a minimum standard for critical suppliers:
- Multi-factor authentication (MFA) for employee email
- MFA for remote access
- MFA for privileged accounts/privileged access
- Off-site (preferably offline) backups of critical data
- Have a hosting configuration that can recover service within your tolerance for disruption (recovery time objectives and recovery point objectives)
- Utilise an endpoint detection and response (EDR) solution on all managed endpoints
- Have a 24/7 SOC that ingests logs into a SIEM tool for automated analytics
- Have an acceptable cadence for the patching critical software and hardware
- Continuous vulnerability scanning
- Ensure that employee cybersecurity training, including phishing simulations are conducted on a regular cadence
- Have strong email and web filtering tools
- Privileged account controls should be in place for any admins that would have access to your service – logging, credential vaulting/rotation, MFA, monitored sessions
- A regularly exercised cyber-incident disaster recovery/incident response plan
- Appropriate isolation of your service offering from other clients
- Web application firewalls in front of any externally facing applications
- International security standard accreditation (as noted above)
- Where potential suppliers cannot meet your security standards, this should be raised as a risk, so that it can be appropriately quantified and internal mitigating controls put in place: It may not be possible for a preferred supplier to satisfy all of your security requirements, however being able to identify these gaps as discrete risks allows them to be appropriately quantified, and internal controls put in place to reduce your exposure.
- Ensure you have contractual obligations in place regarding information security: Although most contracts include a data schedule (to ensure suppliers meet GDPR requirements), many companies still do not draft stand-alone information security schedules. This provides some contractual recourse in the event of a third-party breach and also enables some level of assurance through the ability to require evidence of security controls on a recurring basis. As a minimum, this schedule should include:
- Service level agreements for incident notification, response and engagement with you during an incident
- A clause that stipulates any resilience requirements for the service (IE recovery time and recovery point objectives in the event of disaster), availability (uptime), and SLAs for monitoring service levels
- A clause stipulating that the service provider must adhere to an internationally recognised security standard, and be prepared to provide evidence of such certifications on an annual basis for assurance
- A regular cadence of security-focused supplier performance meeting (or a standing agenda item for the supplier to report against security requirements during broader supplier performance meetings)
- Escalations and penalties in the event that the service provider is in breach of this schedule
- Bear in mind that larger suppliers are unlikely to take your schedule wording verbatim (or at all) and some negotiation may be required
- As you onboard more service providers, maintain a view of risk aggregation across cloud services, including specific data regions within each provider: The vast majority of Software-as-a-Service providers utilise AWS, Microsoft Azure or Google Cloud Platform to host their applications. As your cloud supplier footprint increases, it is important that you understand your risk aggregation across these suppliers. As part of onboarding, you should ensure that you know which cloud service provider the supplier relies on, and the availability zones and data regions that they are hosted in. This will support decision making regarding systemic risk (IE – major outage of AWS in Europe due to energy black outs for example), and ensure you can maintain resilience by diversifying your supplier base through visibility of their critical 3rd parties (your 4th parties).
If you need help to consider cyber or any contractual risk please reach out to our team.