Vendor Contract Do’s and Don’ts

According to an Opus and Ponemon Institute study, 59% of companies have experienced a data breach caused by one of their vendors or third parties — while only 16% claim they effectively mitigate third-party risks. Don’t be a part of these alarming statistics: In order to protect your organization’s valuable information, it’s critical that you set up the necessary security expectations from the onset of a new vendor relationship. Now, as an increasing percentage of businesses are moving to the remote office model, having these security conversations early on is even more critical — because residential IPs account for more than 90% of all observed malware infections and compromised systems.

Of course, simply telling your new third-party partner that you have specific requirements — or asking them to describe the controls they have in place — is not enough. In order to build a strong third-party risk management program, you must explicitly define all of your expectations in a legally binding vendor contract.

Common mistakes to avoid

When you first launch a third-party risk management program, it can be difficult to know what type of contract language you should establish to protect all the assets in your digital ecosystem. Start off on the right foot by avoiding the don’ts listed out below.

DON’T: Begin a vendor relationship before agreeing to security expectations

Your specific security requirements — and enforceability of those requirements — isn’t something to consider after the fact. Work closely with your legal department to create contract language that guarantees your third parties will uphold their end of the bargain when it comes to security performance, monitoring, and remediation. Make sure both sides have agreed to the expectations before you begin your partnership.

DON’T: Use general language

When developing your contract, avoid generalities — like “reasonable security measures” — that offer little to no clarity into the practices you actually expect the vendor to implement. After all, “reasonable” could mean something different to your organization and the third party in question. Instead of using this type of vague language, refer to specific standards and frameworks you want them to abide by.

DON’T: Forget to consider your vendor’s vendors

Fourth parties, or your vendor’s vendors, have a direct effect on your risk outlook, as well. Don’t go into a new partner relationship without the desired visibility and context into your extended ecosystem. Make sure to add language into your vendor contract that stipulates that all security guidelines that apply to your third-party vendor also apply to their subcontractors.

Best practices to implement

Now that you understand what not to do, it’s time to go over some contract language you should be sure to include. Here are a few do’s to keep in mind as you begin the process.

DO: Build in specific terms and conditions

Put all your expectations on the table — from how a vendor should handle and protect your data to what they should do if and when they experience a breach that affects your information. Specifically, your contracts should stipulate that vendors must:

• Meet the agreed-upon risk threshold
• Employ continuous security monitoring
• Respond to your security inquiries
• Notify you about breaches within a specified time frame
• Abide by mandates and timelines for remediation

As a best practice, you should be as specific as possible when outlining time frame expectations. For instance, you may require that vendors inform you of any breaches within 24 hours and remediate any security issues within 48 hours.

DO: Ensure all your vendors have security obligations

Of course, if you’re in the initial stage of contracting work out to vendors, you can make sure all your new contracts include the necessary cybersecurity requirements. But what if you already onboarded some vendors before you put your third-party risk management program in place? In this case, it’s critical that you audit your existing terms and conditions. Gather all your current contracts and work with your legal team to evaluate whether there are any instances where your contractual security obligations are lacking or not specific enough. If you find any language that needs to be revised, reach out to the vendor in question about updating the contract to speak to your current expectations.

DO: Outline your continuous monitoring practices

When you onboard a vendor, let your new partner know how their security posture will be evaluated, monitored, and measured throughout the course of your relationship. Make sure to clearly state what your organization defines as a threshold of acceptable risk — and what your course of action will be if the vendor’s security posture goes below that level. By defining these expectations from the onset, you can ensure that you and your vendor are on the same page when it comes to protecting your ecosystem.

Start your vendor relationship off on the right foot

Don’t let a vendor breach or other incident be the first time you discuss your security expectations with your third-party network. By developing specific, enforceable security contract language at the onset, you can protect your critical data — and save your organization time and effort down the line.

Interested in learning more about how to ensure your vendors remain secure? Download our new white paper, Faster, Less Costly, and More Scalable: Here’s how your vendor onboarding program can have all three.