Understanding Your Cybersecurity Vendor Contract

02.09.2021 Lisa McAuley
Understanding Your Cybersecurity Vendor Contract

This guide is the fourth in a five-part series on using outside firms to reduce your cybersecurity risk.

At this point in the process, you have decided to use outside support to improve your cybersecurity. We’ve provided you with guidance on the various types of service vendors and some tips on how to evaluate them.

In this guide, we provide insight into what you (and/or your lawyer) should look in the contract. Beyond its legal aspects, the contract is a critical document in defining exactly what services will be provided and your ongoing responsibilities for cybersecurity.

We suggest you use the contract as a checklist to make sure that you and your service vendor have a mutual understanding of responsibilities going forward. You will want to make sure all of your expectations are addressed. Don’t fall into the trap of waiting until there is a breach to understand what is covered in a contract and realizing it does not cover what you need.

It is important that you develop a trusted relationship with your service vendor. Ideally, the vendor will become part of the team helping your organization build and maintain a functional and secure IT capability. Making sure that you understand the contract and vendor responsibilities are critical to establishing trust from the beginning. Also, we suggest you have a quarterly audit with the service vendor during which you use the contract as a checklist to assess the relationship and how it is serving your company and its needs. Cybersecurity threats evolve rapidly, and you want to make sure you and your service vendor are not only responding, but proactively implementing measures to stay protected and be resilient.

To view the full guide click HERE.