Business Contracts and Cyber Risk Management

By October 23, 2018View All Resources
2 minute read.

Last week we broke down the life cycle of cyber risk management by defining the following five functions: identify, protect, detect, respond, and recover. Today we’re going to shift our focus to the importance of business contracts. You might be wondering how this relates to cyber risk management. Well, it has a lot to do with cyber risk management. Cyber risk is not just an IT issue, it’s something that’s cutting across all different areas of your business.

Why is it important to include data security standards in business contracts?

We often talk to our customers about contracts. They’re getting contracts from their customers and signing contracts with vendors. You need a financial firewall in those contracts just as much as you need firewalls on your data network. If a data breach does happen, then that could result in some very serious financial breaches.

Recently, we’ve seen a lot more security-focused clauses in standard business contracts that do a lot of internet affiliate marketing agreements, vendor contracts, and simple non-disclosure agreements. People sign an NDA all the time, oftentimes without pausing to think about what they signed. An NDA is a perfect example of the type of contract that needs data security standards added to it. If you sign an NDA and then get hacked, the first question that the other party who signed it is going to want to know is; “well, what did you do to stop that?”

The simple reality is that if you didn’t take reasonable cybersecurity measures. Forget the FTC (Federal Trade Commission), forget HIPAA (Health Insurance Portability and Accountability Act), you’ve probably just breached your contract and that can have plenty of penalty on its own.

Systematic, comprehensive, and structured:

These are the three key ingredients FTC regulators are looking for in cybersecurity programs. You can use these three words to describe reasonableness. If you think about it, there’s really no way that an unstructured program is going to be reasonable. Those three words are kind of part and parcel of the concept of a functioning cybersecurity program.

The standard for reasonable cybersecurity is going to be imposed on you whether you’re a regulated industry or not, whether you want it to be or not. You won’t be able to sign an NDA without having to do reasonable cybersecurity. You won’t be able to sign a vendor contact. If you want business in 2018 and moving forward, you will have to have some kind of cybersecurity program in mind.

Leave a Reply

4 + 12 =