What do I do if a client contract includes cybersecurity restrictions?
By: Ryan Barton on May 2, 2017
You’re reviewing the updated contract from your largest client, when you notice a “Security Addendum.” You read through and quickly realize – you have no idea if your IT partner is doing half of this, and you’re pretty sure you’re out of compliance on the other half. What to do?
This scenario is happening with increasing frequency across many industries, from manufacturing to healthcare to insurance to professional services to government. Large organizations are requiring all their suppliers and vendors to comply with security their own security model. These requirements typically include annual risk assessments, ongoing staff training, routine log monitoring, encryption of data in transit, and the like. Virtually every large company is now including these types of requirements in their contracts.
If you supply to a government contractor (or directly to any military branch of the government), then you are required to follow NIST SP.800-171 – a security framework designed for contracts in the defense industry.
Why is this occurring?
To understand why this is happening, first some context:
Security is not a product, and it’s not a feature, it’s a discipline. Security is about reducing risk, systematically, in a disciplined form, across all aspects of an organization. This means that security is delivered through policy, process, training, security controls, and security procedures.
Organizations such as the National Institute of Standards and Technology (NIST – www.nist.gov) release “frameworks” that outline security requirements and controls which organizations can follow. These make sense for all organizations but are especially important for larger companies. These companies then enforce restrictions from the framework out to anyone who is sending them files or storing their data. Hence, the contracts.
What to do?
A multi-faceted discipline across policies and controls can be extremely challenging in a small business. Most of these frameworks and requirements assume the presence of dedicated cybersecurity staff on payroll – something virtually nonexistent in the small business world. While every business should take an intentional, sophisticated approach to cybersecurity, very few do. If you find yourself scrambling to fulfill the requirements of a contract, you are not alone.
Once you’ve recognized the need to comply with contract requirements or a framework, we recommend considering the following questions:
- Do I have the resources in my current team and vendors to understand and implement these controls quickly and cost-effectively? Interview your IT support, contractors, or staff.
- Is this a client that is integral to the business and worth some expense and hassle in order to keep? Recognize that even if the answer is “no,” that the number of these contract restrictions is increasing significantly, so future clients are likely to implement similar procedures.
- Do we have the ability to lead this in-house? If yes, we recommend a process of:
- Outline all the requirements clearly, in an audit-able forma.t
- Differentiate the required items from recommended items.
- Determine whether a risk assessment is required and, if it is, if it can be a self-assessment, or if a 3rd party risk assessment is required.
- Scheduling a risk assessment, if one hasn’t been done before.
- Gather all of your policies that relate to security (including employee handbook), network documentation, procedures, and IT documentation.
- Setup interviews with the various involved staff – IT, operations, HR, etc.
- Work through the list of requirements, marking areas of noncompliance, preparing a “Compliance report.”
- Work with IT to implement procedures, identify products, and increase documentation in order to fulfill each component.
- Talk with your insurance agent about cyber liability coverage, and ensure that you have the right coverage to cover costs in case there is an incident.
- If no (the organization does not have the resources to lead this internally), look for a partner with experience with similar sized businesses, facing similar challenges. There are many quality security firms out there, but most focus on larger businesses, or businesses with highly security environments (such as banks). The key is to find a partner that can understand the core business need, be efficient in terms of cost and time, and who has the expertise to create a clear path to full compliance.
Mainstay’s cybersecurity team works across industries, focusing on small business, for information security and compliance. If you are facing this scenario, we would love to talk, give recommendations, and discuss whether we might be able to help. Feel free to give us a call at 603.524.4774 today, or contact us online.
If you aren’t facing this scenario, but you have large-organization (or highly sophisticated) clients, then prepare for this to come. And you might want to double check your current contracts and make sure you haven’t signed something you aren’t aware of! If you experience a breach and are found to be out of compliance, the penalties can be severe.