TPRM security assessment is followed by recommending appropriate and necessary clauses to the contract that finalizes the onboarding, once agreed upon by both sides. Contracts may at times reveal more information that was perhaps missed during the assessment scoping. It is crucial to review the scope, type of services and/or products delivered, the regions from which they are delivered, and other nuances before reviewing the redlines. It is recommended to take a little extra time to go through briefly the key sections of the contract before addressing the redlines. Although Legal does a great job of ensuring the right legal language in compliance with company standards and local and federal laws and regulations, the TPRM team needs to spend a little more time to find and document such content that was not revealed as part of the TPRM scope.
A few recommended guidelines to follow:
- Ensure the legal name of the third party is the same as documented by the procurement. Companies get merged and acquired, resulting in name changes. It’s important to get the name right for an updated inventory.
- Ensure all the regions listed in the contract from where services are delivered were part of your assessment scope. Missing out on regions may result in validating regulatory non-compliance by your third parties. (Note: a similar approach for agreed scope, integrations, security commitments, etc. should be followed.). Gaps should be documented, and deltas should be risk assessed.
- Discuss with the Legal, Business, Procurement and IT departments to understand the level of deviation that could be allowed for each security domain. E.g., if incident response in your organization mandates 24 hours, depending on the criticality of the services offered, 72 hours could be the threshold that cannot be exceeded.
- Based on the outcome of the risk assessment, if there are high risk/s that need mitigation in the long term, ensure the necessary language is added. E.g., if there are open risks or those with remediation underway, liability and indemnity statements could be adjusted to accommodate possible scenarios. Another example could be to incorporate verbiage to include short-term plans of a third party to achieve certification by a specific quarter/date or to implement a security control. This will legally oblige the third parties to comply, which is a win-win situation.
- Find every opportunity to push the updated security clauses into the contract that is being renewed or extended. Legal can execute an addendum to the original contract, thus saving time on a full review on both sides.
It is best to document such use cases for internal reference and yearly review with the TPRM steering committee and business heads. Seek the external help of TPRM consultants who can guide you in drafting these in alignment with your security standards and requirements.
