Tech & Sourcing @ Morgan Lewis


Cybersecurity remains at the top of the list of risk concerns when organizations outsource IT and other functions leveraging cloud-based solutions. While there are no guaranteed methods to fully eradicate cybersecurity risks, companies should consider taking the following steps to mitigate the risk.

#1 – Diligence!

As a first step, it is helpful to define the minimal security controls that you will require your outsourcer to implement and adhere to, and then compare your organization’s own security requirements to the outsourcer’s solution. You can begin by forming a cross-functional due diligence team with stakeholders such as IT security, internal audit, compliance, and business owners to conduct robust and meaningful reviews of an outsourcer’s security solution and evaluate essential factors, including the following:

  • Types of data
  • How data is flowing and transferred
  • Location of data
  • How your organization’s privacy policies align with the outsourcer’s
  • Encryption requirements and access control processes
  • How remote access is handled
  • Whether the outsourcer follows industry best practices and regularly monitors and audits its controls
  • How the outsourcer uses subcontractors
  • Applicable laws and regulations

#2 – Define Roles and Responsibilities

Often, organizations believe they are giving up too much control with respect to their security solutions. However, it is possible to maintain control through good oversight, even when outsourcing. While the roles may change with respect to security, both parties will need to participate in activities relating to security as well as agree to a transparent responsibility structure.

Ensuring that you have meaningful security requirements in the contract is important, but it is just as important to regularly monitor and enforce the terms that are negotiated. This will require a robust governance structure and strong audit rights, with remedies for noncompliance with security policies.

#3 – Require Good Change Management

Ideally, detailed policies and controls are part of the outsourcing contract, and should only be subject to change by written agreement of the parties. However, many cloud vendors may try to insert the ability to unilaterally update these policies on the basis that they are applicable across the entirety of their client bases. You should consider whether certain changes (such as changes that could adversely affect your organization or require your organization to incur material cost) require notice, approval, and/or a minimum period of time to implement. Will you be required to be on the most current release for all changes? Consider whether there is any ability to be within a certain number of back releases.

Bottom Line

Cybersecurity will undoubtedly remain a top-of-mind concern for prudent organizations. When using the services of outsourcers and cloud vendors, you will need to ensure that you are selecting outsourcers or other vendors that are able and willing to provide the type and level of security controls and service that your organization requires. And once you do find that vendor, it is important that you monitor and enforce the agreed-upon requirements.