Risk Assessment and Cybersecurity Restrictions in Client Contracts

By Ryan Barton | May 2, 2017

Risk assessment and cybersecurity restrictions in client contractsYou’re reviewing the updated contract from your largest client, when you notice a “Security Addendum.” You read through and quickly realize you have no idea if your IT partner is doing half of this, and you’re pretty sure you’re out of compliance on the other half. What to do?

This scenario is happening with increasing frequency across many industries, from manufacturing to healthcare to insurance to government. Large organizations are requiring all their suppliers and vendors to comply with their own security model. These requirements typically include annual risk assessment, ongoing staff training, routine log monitoring, encryption of data in transit, etc. Virtually every large company now includes these types of requirements in their contracts.

If you supply a government contractor (or any military branch of the government directly), you are required to follow NIST SP.800-171 – a security framework designed for defense industry contracts.

Why is this occurring?

To understand why this is happening, first some context:

Security is not a product, and it’s not a feature, it’s a discipline. Security is about systematically reducing risk in a disciplined form, across all aspects of an organization. Security is delivered through policy, process, training, controls, and procedures.

Organizations such as the National Institute of Standards and Technology (NIST – www.nist.gov) release “frameworks” that outline security requirements and controls which organizations can follow. These make sense for all organizations, but are especially important for larger companies. These companies then enforce restrictions on anyone who is sending them files or storing their data. Hence, the contracts.

How to: cybersecurity and risk assessment for small businesses

Multi-faceted discipline across policies and controls can be extremely challenging in a small business. Most of these frameworks and requirements assume the presence of dedicated team member – something virtually nonexistent in the small business world. While every business should take an intentional, sophisticated approach to cyber security, very few do. If you find yourself scrambling to fulfill the requirements of a contract, you are not alone.

Once you’ve recognized the need to comply with contract requirements or a framework, we recommend considering the following three questions:

  1. Do I currently have the resources to understand and implement these controls quickly and cost-effectively? Interview your IT support, contractors, or staff.

  2. Is this a client that is integral to my business and worth some expense and hassle in order to keep? Recognize that even if the answer is “no,” the number of these contract restrictions is increasing significantly, so future clients are likely to implement similar procedures.

  3. Do we have the ability to lead this in-house? If yes, we suggest the following:

  • Clearly outline requirements in an audit-able format.
  • Differentiate the required items and recommended items.
  • Determine whether a risk assessment is required and, if it is, if it can be a self-assessment, or if a third party risk assessment is required.
  • Schedule a risk assessment if one hasn’t been done before.
  • Gather all of your policies that relate to security, network and IT documentation, and procedures.
  • Setup interviews with involved staff – IT, operations, HR, etc.
  • Work through the list of requirements, marking areas of noncompliance, and preparing a “Compliance report.”
  • Work with IT to implement procedures, identify products, and increase documentation in order to fulfill each required component.
  • Talk with your insurance agent about cyber liability coverage, and ensure that you have the best coverage in case of an incident.

If your organization does not have the resources to lead this internally, look for a partner who has experience with similar sized businesses, facing similar challenges. There are many quality security firms out there, but most focus on larger businesses, or businesses with high security environments (such as banks). The key is to find a partner that can understand the core business need, be cost and time efficient, and who has the expertise to create a clear path to full compliance.

If you aren’t facing this scenario, but you have large-organization or highly sophisticated clients, then prepare for this to come. You might want to double check your current contracts and make sure you haven’t signed something you aren’t aware of! If you experience a breach and are found to be out of compliance, the penalties can be severe. The benefits of risk assessment could save you a lot of time and hassle.

Mainstay’s cybersecurity team works across industries, focusing on small businesses, for information security and compliance. If you are facing this scenario, we would love to talk, give recommendations, and discuss whether we may be able to help. Give us a call at 603.524.4774, or contact us .

Leave a Comment