How to build cybersecurity into outsourcing contracts

Any time a company shares data or provides access to third-parties, it increases its vulnerability to unauthorized access or breach. So in today’s IT environment in which enterprises partner with multiple IT service providers, who in turn may have multiple subcontracters, cyber risks increase exponentially.

“Customer data and systems are only as secure as the weakest link in the vendor ecosystem,” says Paul Roy, a partner in the business and technology sourcing practice of Mayer Brown. “The risks for customers are twofold: not only does the customer increase its risk of a data breach, it also increases the risk that it will be in breach of its regulatory or contractual obligations if its vendors fail to comply with such obligations.”

CIO.com talked to Roy and Lei Shen, senior associate in the cybersecurity and data privacy practice at Mayer Brown about the potential impact of security incidents arising from IT outsourcing or cloud computing engagements, the shortcoming of cloud computing contracts with regards to customer cyber risk protection, the key contractual provisions for mitigating these risks in an evolving regulatory landscape, and the importance of ongoing review in this rapidly changing area.

CIO.com: What are the potential consequences of cyber security failures with third parties, like IT service providers and cloud computing vendors?

Paul Roy, partner, Mayer Brown: The consequences of a cybersecurity failure can be substantial. They include the expense of remediation and notification, damage to the brand, loss of sales, management disruption, regulatory sanctions, shareholder derivative suits and other lawsuits, and other collateral damages. The customer remains ultimately responsible for these risks, even if its vendor was the source of the security failure.

CIO.com: Is cyber risk adequately covered in standard outsourcing or cloud contracts?

Copyright © 2016 IDG Communications, Inc.

The 10 most powerful cybersecurity companies