We’re running a blog post series on the “Seven Deadly Sins of Third-Party Cyber Risk Management;” here’s the fourth deadly sin, which is the failure to address information security in third-party contracts.
Did you miss the other installments? Get caught up here:
- First Deadly Sin: Believing you can outsource risk
-
Second Deadly Sin: Failing to make third-party risk management about business risk management
-
Third Deadly Sin: Not measuring and reporting risk and risk outcomes
Failure to address information security in third-party contracts Ignoring information security provisions in third-party contracts, including (1) the right to audit the third party; (2) defining any availability / resiliency requirements; (3) data breach notification; and (4) remediation requirements for addressing identified vulnerabilities, for example, leaves a company with no recourse in addressing third-party issues. Without right to audit, risk exposure cannot be assessed. Without remediation requirements, identified risks may not be addressed.
Using a Legal-approved, standardized information security appendix to the Master Service Agreement with third parties ensures the company has visibility into and recourse to require corrective actions to protect its clients, assets, and reputation. Even if you aren’t actively managing the risk of vendors, put in contracts the risk requirements that you want. Doing so will contractually commit the vendor to some minimum set of performance requirements and will position you for the future opportunity to assess their performance.
Want to read about the other deadly sins?