Tech & Sourcing @ Morgan Lewis


As we have previously discussed, cybersecurity threats are mounting and are a major concern for senior management. In this month’s first Contract Corner post, we discuss contract provisions that cover the implementation and maintenance of proactive and preventive security measures. Below we list some key issues to consider when drafting these types of security provisions.

Documenting Security Requirements

As part of the contracting process, the vendor should agree to abide by the terms of a detailed security plan that meets or exceeds a customer’s requirements. When developing this documentation, consider how the vendor will do the following:

  • Ensure the security of customer data—Will the vendor warrant a specific, detailed security system, or will the customer rely on conformance to more general security standards? How will the vendor monitor security risks and breaches?
  • Protect against viruses and other threats to the integrity of customer data—Will the vendor warrant the absence of viruses or merely a standard of prevention? Is the vendor obligated to remediate all viruses, even if it did not cause them?
  • Protect against unauthorized access of customer data—What technology and processes will the vendor use to control access? What are the customers’ responsibilities, and how will the vendor test its defenses and notify customers of any unauthorized access?
  • Improve security systems—Will the vendor agree to meet or exceed best industry security practices as they evolve in the future?
  • Change any security measures—Will any vendor-initiated security changes require the customer’s consent? Will the customer have the ability to require changes?

Monitoring Security Commitments

Unless an actual security breach occurs, the customer may not be aware that a vendor is not complying with security requirements. Therefore, the customer should have processes in place to verify the implementation and efficacy of these requirements before a security failure occurs. Some questions to consider regarding security audits include the following:

  • How often will the vendor perform security audits? What will those audits test? What reporting will the vendor provide to the customer?
  • How can the customer participate in the vendor’s audits? Can the customer perform its own security audits of the vendor?
  • What are the remedies for any deficiencies found during an audit?

It is essential that that the security teams for both the customer and the vendor be part of the process in developing both the contract terms and the security plan. They will be responsible for implementing and monitoring these requirements and will be the first ones called when there is a breach.

This post is part of our recurring “Contract Corner” series, which provides analysis of specific contract terms and clauses that may raise particular issues or problems. Check out our prior Contract Corner posts for more on contracts, and be on the lookout for future posts in the series.