: Passing null to parameter #1 ($string) of type string is deprecated in <b>/nas/content/live/ssc2024/wp-includes/formatting.php</b> on line <b>4482</b><br />
)
Continuous Accountability: Leveraging Contracts to Secure your Supply Chain
A critical problem for security and legal professionals who manage supply chain risk is that cybersecurity risks are dynamic and always shifting. You have done your due diligence and selected a vendor with strong cybersecurity controls – but how can you guarantee that your vendor maintains this type of security hygiene and doesn’t become a target and a “weak link” in your supply chain?
Tools like SecurityScorecard’s cybersecurity ratings aim to solve this problem for CISOs and security professionals – the ability to continuously monitor the cyber vulnerabilities of your vendors allows you to spot critical weaknesses, alert your vendors in real-time, and help remediate those risks.
But what happens once the ink is dry on a multi-year contract with one of your critical software vendors that handles sensitive personal data for your company? How do you hold that vendor continuously accountable and make sure their security posture doesn’t weaken over time?
General Counsels and in-house legal teams can play a leadership role in solving this problem. In order to do so, cybersecurity contract protections – just like cybersecurity ratings – must be dynamic to account for ever increasing and evolving threats, rather than just a static “snapshot” of cyber risk in time.
One creative solution is to tie your contract protections to cybersecurity ratings themselves. Consider the following sample language the next time you are negotiating with a critical software vendor.
“In the event Vendor’s SecurityScorecard rating is reduced below an “A” and such rating remains below an “A” for thirty (30) consecutive days, the Company may, in its sole discretion, terminate the Agreement upon written notice to Vendor.”
Or alternatively, using this language:
“In the event Vendor’s SecurityScorecard rating is reduced below an “A”, Company may provide written notice to Vendor to improve its rating to an “A” within thirty (30) days. If Vendor does not improve its rating to an “A” within such cure period, Vendor shall be deemed in breach hereunder and Company may terminate the Agreement immediately upon written notice to Vendor.”
To secure the supply chain, there must be clear consequences. If vendors are faced with contract termination and lost revenue for lax security practices, those gaps will be in the spotlight from C-Suite leadership and directors across industries, and cybersecurity hygiene will increase across the board.
If you are a General Counsel and want to raise the bar on reducing cyber risk – the time is right now. Be proactive, hold a hard line on your contracts and make your vendors continuously accountable.