Bind your Third Parties legally with contracts from both sides
Negotiating contract terms is an art and can be tricky. This is usually done with the help of facts and inputs from various stakeholders like
- Business Unit (level of service, uptime, deliverables)
- TPRM (Inherent and residual risk)
- Procurement
- Other teams
- Legal
- Applicable laws & regulations – Privacy, Financial, Healthcare, Insurance
- Implications & Insurance
- Liability & Indemnity
- Audit
Often, It’s a lengthy process which can run from a few days to a few months and sometimes a whole year. Carefully drafting the right language with justification can enforce favorable terms in the contract and protect your organization.
Security Due Diligence performed on Third Parties are point-in-time assessments but the expectation from Third Parties is to maintain an effective and efficient security framework through the term of engagement with your organization. One way to legally force Third Parties to keep their guard up at all times is to contractually oblige by adding necessary security clauses in the contract/MSA/Agreement. Associated clauses on liability and indemnity should be added to protect the organization if there is any lapse in practicing security.
This is one of the crucial and tricky parts, as the agreed terms are generally negotiated once before onboarding unless there is a material change in the agreed scope due to the following reasons:
Way services are delivered or consumed
Services extending into new geographies
Per renewal cycle
While off-boarding Third Parties.
Common Challenges Faced by the Businesses
Third Parties with a monopoly in the industry or who have the advantage of being the only provider in the region often have an upper hand in negotiating the contract clauses which leaves very little room for negotiation. Thus, leading to a compromise in accepting their terms which may not be as mature as your security standard. Less coverage is inversely proportional to Liability and Indemnity which exposes your organization to risks.
It is also observed that adding the entire security exhibit will result in delays and extended timelines as multiple teams from both parties need to review changes and make the process less efficient and less productive. Inputs from the outcome of due diligence should be factored in to include additional clauses for example, as
- Achieving ISO 27001 certification in the next quarter
- Conducting an external VPAT in the next month
- Enforcing security awareness training by the year-end
- Roadmap for future certification
The additional clauses give assurance to management and commitment from the Third Party to oblige if not leading the breach of contract.
What we do in the TPRM Contract Reviews Phase
Guidelines on how to approach the contract review process from a Security and Legal standpoint.
Create a methodical process with inputs from engagement overview, data flow, assessment findings, risks identified, regulations, security standards etc.
Create versions of security exhibits satisfying various categories of Third Parties and criteria.
Having customized versions of security exhibits to cater to different categories of Third Parties eases the contract review and negotiation process
Simplified process-oriented review based on facts and future roadmap
A well-defined contract review process focusing on a clear RACI reduces the overhead and overall time taken to finalize the contract and an approved escalation process by the stakeholders will help the business to seamlessly execute the contract
Threshold to accept changes to a defined and agreed level within the risk appetite of the organization against each clause
Standard security clauses in contracts are often pushed back by Third Parties, so mindful consideration of the allowed deviation needs to be documented and approved by senior management
Document justification for each clause in the exhibit
As per the best practice in the industry, the applicability of the clause should be given with a brief description to facilitate understanding of the inclusion
Appropriate Liability and Indemnity clauses to support from an incident or breach perspective
Security incidents affecting your organization should be communicated in adherence to the SLA defined and should be audited. Cooperation and support from Third Parties during incident investigation by the regulatory authorities must be factored in
Inventory of all processed contracts
Back dated iterations of the contract or agreement will come in handy during re-negotiation and during the renewal of contract. Crucial from the Internal Audit standpoint and facilitates training resources internally
Guidelines to Procurement and Legal
Standard way to approach critical and non-critical categories of Third Parties from the Business and security perspective
Benefits associating with Defentrix under TPRM Contract Reviews
Customized security exhibit
Negotiate terms that are favorable to your organization
The business is aware of the length and breadth of the impact due to missing or ineffective clauses
Templates to ease the documentation (e.g., for attestation from a Third party)
Training/workshop on the best methods to approach contract/agreement reviews
Worried about your Information Security and TPRM?
Contact us today for complete consulting and implementation of Information Security
Latest Resources
2024 Leadership Vision for Third Party Risk Management (TPRM)
CISOs have a diverse array of rapidly evolving priorities, threats, demands, regulatory pressures, and technology changes to address. Leaders need a structured approach to today's security and risk landscape covering third-party risk. This blog sheds light on...
TPRM Awareness, upskill and cross skill
The security world is very diversified, with the majority of the organizations practicing defensive security while a few have adopted offensive security as well. Security professionals need to keep abreast with developments in Third Party Risk Management space and...
DPDP Act 2023 (India) and Third Party Risk Management (TPRM)
The impact of globalization, social networking, outsourcing, adoption of cloud and technologies, cross border data flows are some of the prominent reasons why data collection and sharing is ubiquitous in this digital age. Many countries have realized the importance of...