Cybersecurity third‐party risk is not confined to due diligence efforts and security evaluations. One of the key components of lowering cybersecurity risk as a company is to use contract language that addresses this risk. This is not to say that cybersecurity professionals need to be attorneys as well to their respective firms; rather a cybersecurity team must be prescriptive to the legal team about what security controls need to be met by vendors prior to contract signatures and execution. Cybersecurity begins with defining the security standards for third parties—the criteria for when cybersecurity language is appropriate. Then, those definitions are taken further by defining criteria of when cybersecurity is engaged for legal terms and conditions; there must be a clear definition of how the process is completed, and the process defined for when there is a Risk Acceptance (RA) for any item(s) that presents a risk to the organization.

Legal Terms and Protections

Starting with a Security Standard or Policy, the cybersecurity team lays out exactly what a vendor is required to meet. While the actions surrounding this have been covered in previous chapters, this chapter discusses the legal terms and protections that cover the domains of access management, encryption, vulnerability management, patching cadence, right to perform audits/assessments, privacy, data center security, and so on. As the standards are written, they are linked ...