According to a recent Intel Security report, 60% of IT decisionmakers surveyed work at organizations that outsource at least some cybersecurity work, a trend driven partially in response to in-house cybersecurity skill shortages. Although organizations of all sizes face cybersecurity risks of increasing diversity and sophistication, 82% of respondents reported challenges in hiring enough skilled cybersecurity workers to address those risks, a challenge that is being met by outsourcing many cybersecurity functions.
According to the report, the cybersecurity functions most frequently outsourced are risk assessment and mitigation, network monitoring and access management, and repair of compromised systems. Organizations surveyed say that they will most likely expand outsourcing of cybersecurity functions in the future, with a majority surveyed expecting that cybersecurity solutions will be able to meet most of their organizations’ needs in five years. In particular, the functions most likely to be outsourced are those capable of automation. Almost 90% of respondents said that cybersecurity technology solutions could help compensate for skill shortages.
Companies should carefully consider the liability and other contract implications of outsourcing cybersecurity functions before turning to outsourced experts to manage cybersecurity risks. As we discussed in a past Contract Corner post, customers and service providers are generally focused on allocating cybersecurity liability in indemnification and liability provisions because of the potential for large-scale damages from a security incident. This concern is only amplified for agreements focused on cybersecurity services. The following are some key issues to consider when negotiating these contract provisions:
- Rather than relying on general negligence or contract breach standards, consider adding security incidents resulting from a contractual breach as separate grounds for indemnification coverage.
- Determine whether indemnification is limited to third-party claims or includes other direct and/or indirect damages and liabilities caused by a security incident.
- Coordinate indemnification defense with incident response provisions and consider the effect on a customer’s client relationships where the vendor assumes such defense.
- Assess whether all potential damages from a security incident are covered by the damages provisions, including any damages that may be considered indirect or consequential.
- To determine the allocation of liability, consider the contract value, industry norms, type of data at issue, potential business exposure, cost of preventative measures, and cause of the security incident.
- Consider calling out specific damages related to a security breach that are not subject to any cap or exclusion to provide clarity and protection—such damages can include the costs of reconstructing data, notifying clients, and providing them with identity protection services.
Read our complete Contract Corner series on cybersecurity: