Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cyber Risk Management Through Vendor Contracts

Published byAdam Greer Modified over 6 years ago

Similar presentations

Presentation on theme: "Cyber Risk Management Through Vendor Contracts"— Presentation transcript:

1 Cyber Risk Management Through Vendor Contracts
Mitzi L. Hill Taylor English Duma LLP 17 November 2017

2 Overview Why Cyber Issues Matter Costs of a Cyber Incident
Vendors of Which to be Aware Contractual Provisions

3 Why Cyber Issues Matter

4 Cyber Issues Present Many Areas for Focus
Third-party liability Disruption Remediation Costs Confidentiality of Business Information Assets

5 Problems That Aren’t Third-party Liability
Business Disruption Discover problem Plug the holes Replace data, hardware, personnel Bring in outside experts: forensic, data recovery, PR, legal, insurance, consumer notice Remediation Costs See above! And later discussion. Recent example: “simple” incident involving employee accident, no hack 3,000 assets breached Internal disclosure ONLY $35k outside notice vendor $25-30k legal fees Three senior executives, daily Other senior executives, weekly or regularly/frequently in first weeks Six – eight weeks to close out the file

6 Problems, Cont’d Confidentiality of Business Assets Pricing
Customer list Sales projections Expansion plans Marketing strategy M&A activity Etc.

7 Costs of a Cyber Incident
(Large-Scale)

8 Multiple class actions Multiple vendor actions $300M total
Target, 2013 Multiple class actions Multiple vendor actions $300M total $10M on consumer liability $100M to vendors/business partners Target’s insurance coverage: $100M

9 2017 Costs Equifax: estimated cost to insurers $125M ( million-property-claim-services-idUSKCN1C71Y8) 50-state class action just filed Multiple state Attorneys General investigating Congressional hearings SEC investigation Outside counsel investigation News reports suggest avenues to consider insider liability, vendor liability, director liability Estimated cost per record in a breach in 2017: $141( breach?ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US&cm_mc_uid= &cm_mc_sid_ = &cm_mc_sid_ = ) Equifax: $20.4B My client: ~$423,000 if costs are average Lower cost per record than 2016 But: larger breaches happening

10 How to Manage Cyber Risks

11 Advance Planning is Key
Data Audit and Workflow Mapping Employee Training and Culture Development Insurance Contract and Vendor Management

12 Reasonableness Is the Overall Goal of Planning for Most Businesses
Data privacy unregulated in US Security standards have few affirmative models/requirements in law Planning: What are your risks What are the resources available to address them Which problems do you choose not to address Which risks and problems can you shift to a third party (insurance, vendor)

13 Vendors Who Can Present Issues

14 Vendor Identification
IT services of any kind Network management Device management Cloud storage Remote storage Personnel/consultants with physical access to premises and equipment, especially network (company address, etc.) Services that take your confidential information into their custody or access it from your network Employee self-service portal list management HR or back-office financial functions

15 Clauses to Review and Standardize

16 Scope of Services Spell out any physical access to data, equipment, premises Specify who provides what Right to approve personnel performing work IT Services Agreed “acceptance” criteria Agreed testing environment, methods No testing in “live” environment Data custody and control

17 Data Custody and Control
What data are part of/subject to the agreement Back-up and recovery mechanisms for data Return of data – not just Confidential Information – at end of term Data as a defined component of CI Data as your property/CI Remedies for data loss, impairment, loss of use, unauthorized access/use/distribution “Breach” versus “incident” Investigate Report Pay direct costs Pay or insure for indirect costs

18 Reps & Warranties Common disclaimers Affirmative reps/covenants
Loss of use of data Accuracy, error-free Loss of business Loss of profits Quality of work/performance Affirmative reps/covenants Access to data during normal operations, scheduled downtime Disaster recovery measures or access guarantees Return of data in usable form at end of term Certain technical security standards, or “industry practice” measures: keeping patches up to date, requiring employees to abide by confidentiality standards, etc. Primary responsibility for loss, etc. of data and timeline for notice to you Carriage of cyber insurance in amounts and types relevant to the nature of the agreement Any requirements from your insurer regarding security, insurance coverage, etc.

19 Indemnification & Insurance
Breach of Agreement Breach of reps/warranties Breach of CI, Data Security clauses “Losses,” “claims,” or “costs”

20 QUESTIONS? Mitzi L. Hill

Download ppt "Cyber Risk Management Through Vendor Contracts"

Similar presentations

Insurance in the Cloud Ben Hunter, Canadian Underwriting Specialist Technology Insurance Specialty Chubb Insurance Company of Canada.

Insurance in the Cloud Ben Hunter, Canadian Underwriting Specialist Technology Insurance Specialty Chubb Insurance Company of Canada.
©2008 Perkins Coie LLP Game Industry Roundtable Privacy Developments for the Game Industry Thomas C. Bell September 24, 2008.

©2008 Perkins Coie LLP Game Industry Roundtable Privacy Developments for the Game Industry Thomas C. Bell September 24, 2008.
IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.

IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.
Draft of June 9, 2015 Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing.

Draft of June 9, 2015 Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing.
Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.

Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.
Overview of Cybercrime

Overview of Cybercrime
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.

Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.
WHAT EVERY RISK MANAGER NEEDS TO KNOW ABOUT DATA SECURITY RIMS Rocky Mountain Chapter Meeting Thursday, July 25, 2013 11:30 am – 12:30 pm.

WHAT EVERY RISK MANAGER NEEDS TO KNOW ABOUT DATA SECURITY RIMS Rocky Mountain Chapter Meeting Thursday, July 25, :30 am – 12:30 pm.
10 SNOW HILL | LONDON | EC1A 2AL Liability in Commercial Contracts Overview of English law and practice Richard Brown, Travers Smith LLP Industrijurist.

10 SNOW HILL | LONDON | EC1A 2AL Liability in Commercial Contracts Overview of English law and practice Richard Brown, Travers Smith LLP Industrijurist.
AUGUST 25, 2015 Cyber Insurance:

AUGUST 25, 2015 Cyber Insurance:
Alliance Agreements Business Alliance Mahidol University International College.

Alliance Agreements Business Alliance Mahidol University International College.
© Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers. ® CISO Executive Network Executive Breakfast.

© Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers. ® CISO Executive Network Executive Breakfast.
Dino Tsibouris (614) 360-3133 Vendor Contracts: What You Need and What You May Be Missing.

Dino Tsibouris (614) Vendor Contracts: What You Need and What You May Be Missing.
1 Managing Your International Business Panelists: Sean Power, General Counsel BlueScope Steel North America Corporation Steven O’Hern, Senior Legal Counsel.

1 Managing Your International Business Panelists: Sean Power, General Counsel BlueScope Steel North America Corporation Steven O’Hern, Senior Legal Counsel.
Part 2: Negotiating the Transaction. The Deal Team –Should comprise at a minimum: Corporate Finance lead; M&A Legal lead; Commercial/Business Lead; Integration.

Part 2: Negotiating the Transaction. The Deal Team –Should comprise at a minimum: Corporate Finance lead; M&A Legal lead; Commercial/Business Lead; Integration.
Requirements for a Retainer Agreement Start with a Written Contract! ALWAYS!

Requirements for a Retainer Agreement Start with a Written Contract! ALWAYS!
Negotiating Software as a Service Contracts Guidance for Corporate and Technology Counsel for Structuring Effective SaaS Agreements Presented by Kristie.

Negotiating Software as a Service Contracts Guidance for Corporate and Technology Counsel for Structuring Effective SaaS Agreements Presented by Kristie.
Tamra Pawloski Jeff Miller. The views, information, and content expressed herein are those of the authors and do not necessarily represent the views of.

Tamra Pawloski Jeff Miller. The views, information, and content expressed herein are those of the authors and do not necessarily represent the views of.
Robert J. Scott. Agenda Licensing Models Perpetual vs. Subscription User vs. Device Agreement Types Microsoft Business and Services Agreement Online Subscription.

Robert J. Scott. Agenda Licensing Models Perpetual vs. Subscription User vs. Device Agreement Types Microsoft Business and Services Agreement Online Subscription.

Similar presentations

Ads by Google