December 5, 2016

Third Party Cybersecurity Risk During the Response and Recovery Phases

The concern over third party cybersecurity risk raised during the Target breach and re- emphasized following the Office of Personnel Management (OPM) breach continues to dominate conversations in cybersecurity circles. In most cases, mature organizations have responded by incorporating contractual language to cover data breach notification and the right to audit. Many policies and cybersecurity insurance or risk assessments. These risk management procedures attempt to help the organization detect cyber incidents fast and maintain a level of cybersecurity maturity. Unfortunately, these mitigations do not help control the cascading consequences following a cyber incident, whether it is a breach, denial of service, or other type of attack. The cascading consequences include brand degradation, ongoing legal battles, or more.

While a government entity or court can issue a National Security Letter or gag order, respectively; companies must have specific and robust contract language in place to prevent third party entities from disclosing information about a cyber incident which could damage the brand or business operations of your organization. 


Companies can invoke the spirit of a gag order by enforcing third party behavior in contracts and re-enforcing it during education / training, contract renewals, and vendor audits. Fortalice proposes the following recommendations for organizations to ensure their vendors do not jeopardize the response and recovery efforts following a cyber incident:

1. Stipulate in all contracts (NDA, MSA, etc.) with third party entities all information, including notes, reports, logs, security settings, impressions or observations, and other documents (“data”) prepared by third party organization or individual in connection with the incident, including all copies, are the sole property of your organization, and while the third party may keep the data at all times in its custody and subject to your company’s control. Outline in the agreement that the third party cannot acquire the data or otherwise any right or license to it.

2. Ensure all communications have attorney-client, work product privilege, or confidentiality clauses included. Federal and state courts do not recognize a stand-alone privilege for cybersecurity work product or communications – therefore, include emails, work products, and other related communications as confidential information in contracts with third parties.

3. Outline in contracts employees and third party individuals working in your organization who have a ‘need to know’ to perform services or review data. These individuals should be the only individuals authorized to conduct response or recovery work.

4. Identify a timeline or sunset clause for the disclosure of data associated with your organization in contracts.  

5. Express in all contracts written permission from the client before the third party can discuss, print, or reference the cyber incident by name in their own media platforms or external media.

6. Outline the prohibitive actions for all third party entities in your Cyber Incident Response Plan and provide requirements once the plan is invoked.  

7. Outline the third party requirements before a cyber incident in the contractual agreements. For example,

8. Require all third parties, which have access to your corporate network, to sign and acknowledge receipt of your organizations acceptable use and privacy policies.

9. Ask the third party to file a copy of their incident response plan with your organization annually.

10. Determine method of communication and point of contact for incident detection, and during and after the incident.



Preserving the Privilege During Breach Response:

Data Security Contract Clauses for Service Providers:

Photo: by Negative Space