Tech & Sourcing @ Morgan Lewis

Contract Corner

Cybersecurity has earned its place at the top of organizations’ risk concerns during the COVID-19 pandemic. Remote working, an array of communication solutions and hardware being used by organizations, and the accelerated leveraging of cloud-based outsourcing solutions have increased the chain of potential vulnerabilities to cyberattacks.

Cybersecurity Risks

The pandemic has increased the risk that cybercriminals will infiltrate remote desktop access and gain administrator access, steal and/or encrypt confidential and sensitive information, and extort payments for the return of that information. The distributed denial of service attack of the New Zealand Stock Exchange in August 2020, which disabled its ability to publish public announcements and disrupted trading activity, was reportedly part of an extortion attempt.

Spoof email accounts impersonating familiar contacts of employees in order to elicit sensitive information or transmission of payments are a particular problem. The plethora of communication methods and virtual meeting platforms used by employees, contractors, and service providers on devices may conceal signs of malicious communications.

Many organizations accelerated their migration to cloud-based solutions during 2020, and application programming interface (API) security and risks of misconfiguration on scale are other key concerns arising out of the last year.

Managing Risks

Discussed below are considerations to mitigate cybersecurity risks during the pandemic.


When engaging potential IT suppliers, or reviewing current suppliers, in addition to security controls your organization requires in "normal" times, define controls required specific to remote working environments. These may relate to

  • data flows and centralized data storage;
  • methods of remote access to your organization’s network, including access controls, such as through firm hardware or online portals using personal hardware;
  • device inventories; and
  • use of subcontractors and visibility of their security and access policies and procedures.

Access Management

The increasing number of cyberthreats that remain reliant upon infiltration via endpoint users is a reminder that IT service agreements should define who authorized users are and set out clear approval, validation, and refresh processes for continued access. Responsibilities and controls around privileged access rights should be robust.

Remote working arrangements during the COVID-19 pandemic have for some organizations required a flexible number and composition of system users, and agreements should take account of this. Allocation of responsibility for validating users and access controls should be clearly delineated.


Organizations may seek warranties of additional levels of security taken by the supplier to address remote working risks, such as controls around any increased reliance on remote desk protocol, access procedures, the physical security of home environments, and consequent confidentiality risks. Other more general warranties may verify the absence of viruses and the supplier’s standard of virus prevention.


Immediate notification obligations on a supplier in respect of actual and potential security breaches are a common customer request.

To address the heightened pandemic risks, organizations may seek notification and reporting obligations from suppliers in respect of any material communications around data breaches, not just of breaches themselves, in order to require visibility of any extortion demands or threats to leak customer data.

While the points above provide no vaccine against all cybersecurity risks, they may offer the contractual equivalents of wearing a facemask and operating an effective track-and-trace system to protect your IT security arrangements as we continue in this new normal.