Cybersecurity is rarely a core business — but it is a requirement of doing business. Organizations seeking to establish and maintain systems that are secure against cyberattack must enlist the skills and knowledge of third-party providers. With any IT contract, it is necessary to ensure that expectations and deliverables are specifically defined, that appropriate representations and warranties are given, and that costs and penalties are properly scaled. This is particularly true in the area of cybersecurity, with its plethora of suppliers and technologies, and where the failure of a system or service can have catastrophic consequences.
Outsourcing and procurement issues extend far beyond the purchasing of cybersecurity systems. Indeed, most cybersecurity procurement issues arise in the acquisition of services from vendors. These would include, by way of example only, payroll services, expense services, healthcare services, data storage services (including, not incidentally, cloud services). In an age when doing business requires the extensive sharing of information, organizations need to know that the systems of their suppliers and co-contractors are secure. Equally, they need to be confident in assuring customers, clients, and co-contractors that their own systems are secure.
In best of class systems, this assurance is contractual, with a varying mix of specific terms and conditions. The topics to which those terms and conditions would be addressed are at least those set out below. These are particularly applicable where the Vendor is being provided with or has access to private or confidential information. In those cases, suppliers are often required to:
- implement and maintain commercially reasonable physical and cybersecurity safeguards and security mechanisms;
- distinguishing, where necessary, between the treatment of confidential and private information;
- warrant that they complies with all applicable laws of all applicable jurisdictions
- take steps to prevent unauthorized access to data;
- maintain written policies and procedures defining and limiting access;
- verify that security procedures operate effectively;
- maintain systems which adhere to or comply with accepted “standards” or protocols such as such as NIST, ISO, COBIT and PCI DSS;
- maintain disaster recovery and business continuity plans;
- maintain personnel training or certification systems;
- notify in the case of the breach, within the defined, with specific information, including impact assessments and corrective action; and
- indemnify and defend where required.
In addition to ensuring that contractual relationships with suppliers address suppliers’ cybersecurity obligations, businesses must also ensure that their suppliers are in fact meeting their obligations under those contracts. Conversely, businesses need not only understand their own security obligations to clients and co-contractors, they also need to ensure their internal policies and programs meet the standards defined in those contracts. Audits of the relevant contracts and compliance with their terms are high priorities in every best of class cybersecurity plan. Audit rights, or the right to require third-party review now frequently appear as terms or conditions in supplier contracts.
National governments, particularly in the United States and the United Kingdom, have been leaders in the development and application of procurement policies meant to maximize the security of information and communications systems. Companies doing business in the defence, infrastructure and government services fields, in particular, need to understand these policies.
The government of the United Kingdom has developed a preferred organizational standard for cybersecurity, a form of certification it calls “Cyber Essentials”. This standard is intended to provide a clear statement of the basic controls all organizations should implement to mitigate risk from common Internet-based threats. It also offers a mechanism for organizations to demonstrate to customers, investors, insurers and others that they have taken essential precautions.
In the United States, the Department of Defense (DoD) requires that contracts of supply incorporate specific cybersecurity clauses, while the Department of Homeland Security has proposed procurement language for control systems. In June 2014, the General Services Administration (GSA) and the DoD announced an initiative to develop and implement “a repeatable, scalable process for addressing cyber-risk in federal acquisitions based on the risk inherent in the product or service being purchased”. The process is intended to include baseline cybersecurity requirements as a condition of contract award, cybersecurity acquisition training, and common cybersecurity definitions. In December 2014, the U.S. Defense Information Agency released a draft of its Cloud Computing Security Guide, setting out the requirements with which providers seeking to win contracts would need to comply.
The lesson in all of this is simple and straightforward - not only must organizations ensure that their suppliers are cybersecure, they must be able to provide the same assurance to their own customers. Competitiveness depends on it.