Addressing cyber risk effectively in contracts

By Erin Ayers on May 21, 2015

exariWodetzki200x200For organizations that suffer a cybersecurity breach, much of the cost and consequences of the event depend on the speed and efficacy of the response, as well as preparing for an event both in theory and in all contracts to which any organization is held. Jamie Wodetzki, co-founder and chief product officer at Exari, a provider of contract management solutions, recently offered Advisen a few tips on properly reflecting cyber risk in contracts across the organization.

Are organizations paying enough attention to how their contracts address cyber risk?

Everyone seems to be a lot more sensitive now. Anyone could have predicted that this would happen, but people don’t pay attention to it until it starts happening. I think everyone was triggered by the New York Department of Financial Services [action on cyber risk for financial institutions and third-party vendors]. But for all that it’s a hot issue, they’re not necessarily on top of it. It’s all about understanding, if a bad event occurs, what is your contractual exposure?

And in the case of cyber risk stemming from third-party vendors, how can businesses protect themselves?

You might think you have good security policies, good defensive measures, or good insurance, but if you have third-party vendors, you have to ask, did you impose on them the same type of requirements? They might well be the weakest link and the thing that brings you down. There’s a whole bunch of contractual armor to use. The contract can be used as a shield. You ask more probing questions, such as, “Have you specifically taken cybersecurity insurance.” You’d probably require good infrastructure and probably try to get them to represent that they have insurance, depending on the nature of the relationship. You’ll probably also address notification time frames. And if you have a whole network of third-party providers or a whole supply chain, you’ll have a lot of contracts.

How can poorly worded contracts or contracts that are silent on cyber risk worsen a breach situation? What should they address?

The problem with contracts is that they’re all big, fat, wordy documents. The first step is to make sure you understand them. After a data breach, there’s a scramble and in parallel with that scramble, there’s also a moment of determining in your contracts – “Who have we promised to notify quickly? Have we consistently said that across all of your customer contracts and suppliers?” If not, you’re stuck and you’re going to be in breach of contract. You’ve now given everybody a bigger stick to attack you with.

Do you see effective contract management as improving the standing for organizations with insurers, regulators, lawmakers, and consumers?

They’re able to demonstrate that they have a better handle on this and, with insurance, can potentially get a discount. It’s helpful for legal and risk compliance staff, on a whole range of issues, not just this risk. This is a good illustration, though, because this is a hot-button issue.

Erin is an editor at Advisen. She has 15 years of journalism experience. Prior to Advisen, Erin covered property-casualty insurance for 13 years as editor-in-chief of The Standard, New England’s Insurance Weekly. Erin is based in Boston, Mass. Contact Erin at eayers@advisen.com.