What do I do if a client contract includes cybersecurity restrictions?

By: Ryan Barton on May 2, 2017

You’re reviewing the updated contract from your largest client, when you notice a “Security Addendum.” You read through and quickly realize – you have no idea if your IT partner is doing half of this, and you’re pretty sure you’re out of compliance on the other half. What to do?

This scenario is happening with increasing frequency across many industries, from manufacturing to healthcare to insurance to professional services to government.  Large organizations are requiring all their suppliers and vendors to comply with security their own security model. These requirements typically include annual risk assessments, ongoing staff training, routine log monitoring, encryption of data in transit, and the like.  Virtually every large company is now including these types of requirements in their contracts.

If you supply to a government contractor (or directly to any military branch of the government), then you are required to follow NIST SP.800-171 – a security framework designed for contracts in the defense industry.

Why is this occurring?

To understand why this is happening, first some context:

Security is not a product, and it’s not a feature, it’s a discipline. Security is about reducing risk, systematically, in a disciplined form, across all aspects of an organization.  This means that security is delivered through policy, process, training, security controls, and security procedures.

Organizations such as the National Institute of Standards and Technology (NIST – release “frameworks” that outline security requirements and controls which organizations can follow.  These make sense for all organizations but are especially important for larger companies.  These companies then enforce restrictions from the framework out to anyone who is sending them files or storing their data. Hence, the contracts.

What to do?

A multi-faceted discipline across policies and controls can be extremely challenging in a small business. Most of these frameworks and requirements assume the presence of dedicated cybersecurity staff on payroll – something virtually nonexistent in the small business world. While every business should take an intentional, sophisticated approach to cybersecurity, very few do.  If you find yourself scrambling to fulfill the requirements of a contract, you are not alone.

Once you’ve recognized the need to comply with contract requirements or a framework, we recommend considering the following questions:

Mainstay’s cybersecurity team works across industries, focusing on small business, for information security and compliance. If you are facing this scenario, we would love to talk, give recommendations, and discuss whether we might be able to help.  Feel free to give us a call at 603.524.4774 today, or contact us online.

If you aren’t facing this scenario, but you have large-organization (or highly sophisticated) clients, then prepare for this to come. And you might want to double check your current contracts and make sure you haven’t signed something you aren’t aware of! If you experience a breach and are found to be out of compliance, the penalties can be severe.