There are specific contractual obligations you need to fulfill before closing deals. Sometimes, those obligations have costs and risks associated with it. That’s why you need to fully understand what’s in your contract before agreeing to it.
We have categorized some common security-related contract terms to help you understand their implications, associated costs and risks. The groups are:
1. Policies and Processes
3. Compliance Standards
In the first part of this blog series, we examined the policies and processes as well as controls groups. In this blog, we explore the common compliance standards and general security terms that clients often ask for from a service provider.
Items are identified as Low Risk/Cost ($), Medium Risk/Cost ($$), High Risk/Cost ($$$) or Extremely High Risk/Cost ($$$$) purely as an estimate/guideline.
Compliance Standards ($$$ to $$$$)
Clients typically choose to work with service providers that comply with regulatory standards. If you don’t have a certification in a compliance standard, here are some common ones for you to consider.
System and Organization Control 2 (SOC2) is popular within Software-as-a-Service (SaaS) companies and it has two stages:
SOC2 Type 1 – When an organization achieves readiness, it needs to complete an audit. This audit attests to the fact that the organization is following the standard and has the right processes, policies and controls in place. Depending on your level of maturity, complexity of your offering and available resources, you can take approximately three to 12 months to prepare for a SOC2 Type 1 certification.
SOC2 Type 2 – It typically runs for six to 12 months after the initial Type 1 audit. We highly recommend you renew Type 2 annually.
SOC2 has five Trust Services Categories: Security, Availability, Processing Integrity, Confidentiality and Privacy. You should select to audit against these categories based on client needs and your operating model. The more categories you choose to audit, the more expensive the preparation and ongoing audits will be.
The National Institution of Standards and Technology Cyber Security Framework (NIST CSF) is common for organizations selling to US federal government entities. In 2017, the Trump Administration signed an executive order requiring federal government agencies to measure and report gaps against the NIST CSF. This has led to cascading requirements for a variety of supply chain providers servicing the government sector. If you sell to defense agencies, you need to comply to the NIST Defense Federal Acquisition Regulation Supplement (DFARS) standard.
The International Organization for Standardization (ISO) series of standards is common to manufacturing organizations, non-US government departments and European businesses. Many organizations that are trying to bring structure to their security operations and processes choose to adopt the ISO 27001:2018 standard. Certification is possible but not necessary in many cases. The ISO27017 is for cloud services providers and the ISO27018 is for organizations using public clouds to act as processors for Personally Identifiable Information (PII).
The Health Insurance Portability and Accountability Act (HIPAA) is more of a set of guidelines than a hard standard like the others. If your business handles protected US resident Personal Health Information (PHI), you need to be compliant with HIPAA. HIPAA is strict in controlling the handling and exchange of PHI.
The Federal Risk and Authorization Management Program (FedRAMP) is an extensive US federal government compliance standard for cloud providers. Organizations often take significant effort to comply with this standard.
The General Data Protection Regulation (GDPR) is a European Union (EU) privacy standard. If non-compliance leads to a breach, you can be fined up to four percent of your company’s annual turnover. This standard has strict requirements in the following areas:
· Consent (it is the reason you see “cookie warnings” on most websites)
· The provision of your Data Privacy Officer’s name
· Data Processing Agreements
· User’s right to request a copy of all personal data held by a provider
· User’s right to be forgotten
If you collect EU citizen data, you are required to comply with this regulation.
The California Consumer Privacy Act (CCPA) is California’s privacy standard modelled after the GDPR.
The Cloud Security Alliance Consensus Assessment Initiative Questionnaire (CSA CAIQ) is a self-guided questionnaire with several hundred questions to complete. It is similar to a light-weight audit.
The Health Education Curriculum Analysis Tool (HECVAT) is a framework for higher educational organizations to assess vendor risk. Questions and requirements in this framework are similar to others listed.
All organizations that handle credit card data need to comply with the Payment Card Industry (PCI). If your company runs payments through a third-party processor such as Stripe, PCI does not apply to you. However, we still recommend that you complete a self-assessment questionnaire (SAQ-D) as a best practice.
💡 There is a lot of overlap between the standards listed above. Completing compliance in one standard (e.g. SOC2) helps address gaps that exist in other standards as well. It is usually best to pick a standard that the majority of your clients ask for or would accept.
💡 If you don’t currently have certification in a requested standard, do your research before committing to one in a contract. Certifications can be expensive and time consuming to achieve. Clients often accept language such as “our security program aligns with NIST” or “we are working on SOC2 Type 1 readiness and expect to be ready for audit in Fall 2021.”
💡 If you state compliance to a given standard, don’t be surprised if the client asks for an audit or attestation report. Don’t sign it unless you can produce it.
There are standalone requirements that clients often look for in a service provider. Those requirements do not fall into the other groups mentioned in this blog series, but they are equally as important.
Insurance ($$) – Besides the traditional insurance requirements like commercial general liability (GCL) and errors and omissions (E&O), increasingly, businesses are requiring cyber insurance to cover elements including breach costs and incidents. Before agreeing to the cyber insurance, confirm you have this coverage, adding that insurance can be expensive.
💡 Cyber Insurance can help offset costs when contract language requires you to reimburse your clients for the cost of breaches.
Contract linkages ($$$) – Clients often attempt to link to external policies or standards in their contracts as a way of controlling future changes or risks. For example, they may attempt to link to their internal/external information security policy and state that you must remain current, up-to-date or adhere to future versions of their policies.
⚠️ Your organization has no control over the future versions of your clients’ policies. Accepting these linkages creates downstream cost and future liability. You can often negotiate to remove these terms from the contract or give yourself an escape clause. For example, set a limit on future costs or suggest that the client is responsible for the costs associated with making future changes to policy.
Right to audit ($$) – Requesting a right to audit is very common, but very few organizations will actually carry out an audit on a regular basis. Your risk of audit increases for each additional client you sign.
💡 It is reasonable to negotiate the scope of audits and/or request your client to cover the audit costs. This way, you can reduce your risks. Simply adding terms like “limiting impact to operations” or “costs will be covered by the client” can enable more control. It is a red flag if your client is unwilling to be flexible on terms like this.
⚠️ Watch out for “site audit” requirements that grant permission for inspection of physical sites. Most cloud-hosted companies do not have a right to site access as part of their agreements.
If you want to learn more about navigating contracts and security questionnaires (another important component when selling to enterprises and closing deals), watch this webinar presented by Michael Argast, CEO and co-founder of Kobalt.io.