Most organizations today are conducting assessments and looking at third party rating schemes in an attempt to manage third party risk. However, assessing and looking at third party ratings without having the ability to enforce anything hardly improves risk – it only sheds a light on where the risks might be. After you have identified the risks in your third party, the next work is to reduce that risk through negotiations by working directly with your critical vendors.
This is where the vendor has the ability to completely reject your improvement requests due to lack of specificity in the contract that may have already been negotiated. This is where a CISO or vendor risk manager must work closely with the legal officer and cyber team to develop specific clauses that enforce vendors to comply with cybersecurity requirements. Below are some of the most common clauses that can help you expedite this process. The language below is only sample language, you should consider working directly with an attorney to tailor the clauses for your specific needs.
Clause 1: The Right to Audit
will keep accurate and complete accounting records. Upon no less than ten days written notice and no more than once per fiscal year, the may audit or use a reputable accounting firm to audit the ’s records relating to its performance under this agreement.
Costs of any audits conducted under the authority of this right to audit and not addressed elsewhere will be borne by unless certain exemption criteria are met. If the audit discovers substantive findings related to inappropriate accounting, non-performance, misrepresentation, or fraud, may recoup the costs of the audit work from the . Any adjustments and/or payments that must be made as a result of any such audit or inspection of the ’s records shall be made within a reasonable amount of time (not to exceed 60 days) from the presentation of the ’s findings to .
Clause 2: Non-Repudiation
The vendor shall provide a system that implements that provides for origin authentication, data integrity, and signer non-repudiation.
Clause 3: Data Jurisdiction
The vendor shall identify all data centers that the data at rest or data backup will reside. All data centers will be guaranteed to reside within . The vendor shall provide a Wide Area Network (WAN), with a minimum of [#] data center facilities at [#] different geographic locations with at least [#] Internet Exchange Point (IXP) for each price offering. The vendor shall provide Internet bandwidth at the minimum of [#] GB.
Clause 4: Independent Source Code Review
The vendor shall have their software reviewed for security flaws, in binary format (i.e. compiled or byte code), by an independent organization that specializes in application security, at their expense, prior to delivery to the Client.
Clause 5: Data Access
During the term of this agreement, may view, review, or otherwise analyze the data stored, inputted or otherwise collected by the application for maintenance, system administration, technical support, and for any other purpose necessary for to perform under this agreement and/or to comply with laws and regulations, subject to the provisions of Section 6.2 of this agreement.
Clause 6: Data Breach Clause
If the contractor becomes aware that data may have been accessed, disclosed, or acquired without proper authorization and contrary to the terms of this agreement or the contract, then the contractor shall use reasonable efforts to alert of any data breach within two business days, and shall immediately take such actions as may be necessary to preserve forensic evidence and eliminate the cause of the data breach. Contractor shall give highest priority to immediately correcting any data breach and shall devote such resources as may be required to accomplish that goal. Contractor shall provide the University information necessary to enable the University to fully understand the nature and scope of the data breach.
Clause 7: No Surreptitious Code
Contractor warrants that, to the best of its knowledge, the system is free of and does not contain any code or mechanism that collects personal information or asserts control of the system without Company’s consent, or which may restrict Company’s access to or use of company data. Contractor further warrants that it will not knowingly introduce, via any means, spyware, adware, ransomware, rootkit, keylogger, virus, trojan, worm, or other code or mechanism designed to permit unauthorized access to the company data, or which may restrict the university’s access to or use of company data.
Clause 8: Data Protection
Contractor shall only use, store, disclose, or access data:
- In accordance with, and only to the extent needed to provide services to Company; and
- In full compliance with any and all applicable laws, and regulations
Contractor shall implement controls reasonably necessary to prevent unauthorized use, disclosure, loss, acquisition of, or access to the company data. This includes, but is not limited to personnel security measures, such as background checks.
All transmissions of company data by Contractor shall be performed using a secure transfer method
Hopefully, the above gives you a bit of an insight on your third parties and what it would look like to create some critical clauses.