As cybersecurity has become one of the most important strategic imperatives for the enterprise, concerns about how third-party IT services providers are protecting corporate data have grown. As a result, negotiation of cybersecurity and data privacy issues has become one of the most challenging areas in IT outsourcing contract negotiations, says Rebecca Eisner, partner in the Chicago office of law firm Mayer Brown.\u201cSuppliers are understandably concerned about not paying damages that are disproportionate to the revenue received, and therefore seek to limit or disclaim their liability,\u201d says Eisner. \u201cCustomers are equally concerned, particularly where suppliers do not have the same incentives to protect customer data as the customer, and because the negative impacts of a security incident are generally far more significant to the customer than to the supplier.\u201d What\u2019s more, the cybersecurity regulatory environment is rapidly evolving, making it difficult for both sides to access the risks.\u00a0The increasingly complex and geographically dispersed IT environment also complicates matters. When company data lived within one or more central data centers, it was much easier for companies or their suppliers to secure the perimeter with, for example, firewalls, physical security and controlled logical access.\u00a0 Today, data is scattered among data centers, clouds, and mobile devices, for a start. \u201cThe points of access and potential points of security failure multiply with this ever expanding ecosystem,\u201d says Eisner. \u201cIn addition, many of these systems are provided or managed by third party suppliers.\u201dFor those reasons, CIOs must take a risk management approach to selecting, contracting with, and monitoring their company\u2019s IT service providers.\u00a0There are six steps IT leaders can take to strengthen data privacy and cybersecurity protections in their IT supplier relationships, according to Eisner:\u00a0\u00a0\u00a0\u00a0\u00a01. Understand which suppliers either process or have access tot the company\u2019s most sensitive personal or regulated data, and data that represents the \u201ccrown jewels\u201d of the company.\u00a0\u00a02. Collaborate with the company\u2019s security, vendor management, and legal teams to determine which supplier relationships create the highest risks for the company in order to focus the appropriate level of attention and resources on that group of outsourcing providers.3. Take a look at existing IT service provider agreements through the lens of your company\u2019s up-to-date and well-defined cyberscurity and data privacy requirements. Amend those contracts to close any gaps.4. Make sure that IT\u2019s vendor management, compliance, or security team is monitoring high-risk suppliers, including updating vendor security assessment questionnaires on an annual or bi-annual basis; reviewing audit reports, certifications, and penetration tests; and, where appropriate, conducting site visits and annual security reviews.\u00a0\u00a05. Review the company\u2019s standard security and privacy contract terms regularly with legal counsel to ensure that those baseline requirements are kept up to date.\u00a0\u201cThis is particularly necessary due to rapidly evolving privacy regulation in the U.S. and around the world,\u201d says Eisner. For example, the new European General Data Protection Regulation set to take effect in 2018, will require operational, policy, and contractual changes regarding the processing and transfer of EU personal data.6. Take the time to educate the company\u2019s board of directors, officers and employees about security and privacy risks, including those risks associated with third-party relationships, and help them to understand the steps they can take to mitigate them.