Reviewing and evaluating vendor agreements is an important task for cybersecurity teams and budget holders. An important supply chain stress test, it provides an opportunity to identify and address weaknesses and changing needs, ensuring that a good contract with clear deliverables and expectations is part of a cybersecurity defensive strategy alongside the people and the technology.
Join ISC2’s Pre-Conference Workshop at Security CongressManaging third-party risk is more critical than ever. Ahead of ISC2 Security Congress in Nashville, we will be hosting a series of one and two-day pre-conference workshops on October 26-27. Strengthening Vendor Contracts for Privacy, Cybersecurity and AI Compliance is a one-day workshop designed for professionals who oversee vendor relationships or are responsible for contract compliance. Through case studies and contract review exercises, participants will learn how to identify gaps in cybersecurity and privacy terms, strengthen clauses related to AI data use and ensure alignment with evolving regulations like GDPR and CCPA. |
April 2025 was a bad month for the cybersecurity teams of retailers. Attacks on Marks and Spencer (M&S) and the U.K. Co-op retail chains were global news; not only this, but they highlighted a new threat in an area of cybersecurity that many organizations are looking to bolster their level of control: supply chain security.
The common factor? Both attacks were done through trusted third-party support providers. Companies that, by necessity, had high-privilege access into the retailers’ systems so that they could provide service desk and other support services. In both cases the attackers convinced the outsourced service desk staff that they were legitimate users and persuaded them to reset passwords and Multi-Factor Authentication (MFA) apps so they could gain digital access and carry out their attacks.
In these cases, the failures were largely procedural: either the procedures for identifying callers and validating requests were sub-standard, or they were OK but were not followed properly. CISOs around the world have found themselves thinking: “That could have been us” and have rushed to implement better validation of service desk callers.
Long Term Agreements Risk Long Review Cycles
Again, if we use M&S as an example, the cyber-attack it experienced spotlighted the fact that it has more than one current IT supply chain partner relationship that has been in place for over a decade. This is not unusual or necessarily an issue. But it is illustrative of the need for regular contract reviews, as you simply can’t be sure which vendor relationships will develop into long-term ones.
A long-term, close engagement brings the benefit of the service provider gaining tremendous knowledge of the client’s people and systems over time. However, the positivity is a two-way street: large service providers have large number of clients, which means they can use their experiences with other clients – both good and bad – to the benefit of each of their customers.
Longevity of relationships is also partly down to a slightly less positive factor: switching to another provider can be a long, difficult and risky project (known as vendor lock-in) and so if a relationship is satisfactory it’s tempting to stick with it, at least for a few years.
Managing Expectations and Deliverables
The most prominent question when any client challenges a supplier is: what does the contract say? Relationships of this type are typically three- or five-year engagements – anything less than three years risks being counterproductive, as the end of the agreement is upon you before the engagement has bedded in.
This means that every so often there are discussions about continuing the relationship and, often, an extension is signed and off and the relationship rolls over for another few years.
When contract review time arrives, what do you do? Do you actually review the contract? Do you spend time analyzing a potentially long document, full of legalese? Do you, as an IT or cybersecurity specialist, even have the necessary skills and knowledge to understand the agreement properly and execute changes or hold the supplier to it? We have no idea how a given organization would answer these questions – especially in the event of an incident. If we look at the wider world the answer – in far too many cases – is that there’s a cursory look and then the extension is signed. The path of least resistance is to re-sign with the vendor you trust, perhaps after a bit of price negotiation and then get on with running your business with little or no interruption.
Nonetheless, a review is absolutely essential. Things change radically after one three-year agreement cycle – so after two or three of cycles the technology you are using will be completely unrecognizable from what you were using on day one. More importantly, cybersecurity threats will have had years to evolve. There may even have been significant evolution in concepts like supplier management techniques, along with new case law derived from supplier contract disputes elsewhere. A contract can survive three or four years, but once it nears a decade old it is highly unlikely still fit for purpose in its original form
Approaching Vendor Contract Reviews
Proper contract reviews are essential, but it is very easy – and common – to do them badly. Let us look at five factors that are essential before you even pick up the pen to sign on the line.
First: involve the right people. Chances are that if you are reading this, you are a cybersecurity professional and probably not a lawyer (but we do know there is a group of ISC2 members who are both). Even if you are legally proficient, you’re probably not a contract lawyer. It’s likely that the contract you are discussing is costing the organization a significant amount of money, so a modest amount spent on a decent lawyer if you don’t have in-house counsel (and it does not need to cost tens of thousands of dollars) is money well spent. The reverse is also true: your lawyer is not necessarily an IT or cybersecurity specialist, so if you are to end up with a positive result then you and they need to work in lockstep throughout the review process. Keep in mind one of the common “wins” a lawyer will bring that you can’t: you might be able to have a go at reviewing what is in the contract, but their special talent is to tell you what is missing!
Next: inject a big dose of pragmatism into your discussions with the supplier and fight as hard as you can for them to do the same. Particularly where counsel is involved, each side will have its own starting point for contract changes and those points will be a way apart. This means that unless someone gives some ground, you will never sign anything. It may come as a surprise, but lawyers spend their lives having adult conversations for this reason: each will have a small number of points that they will never, ever negotiate on but everything else is fair game and middle ground is almost always reached.
Moving on: understand the scale and scope of the deal. Be pragmatic about the relative size of your organization and the supplier’s organization. When your hundred-person company is contracting with a four-hundred-pound gorilla like a Microsoft or a Salesforce, the contractual process is much more of a one-way street and your mission is one of getting comfortable with their terms and conditions. If the roles are reversed and you are contracting a supplier that is a fraction of the size of yours, don’t try to bulldoze them to agreeing to everything you want, because it will be unlikely to yield good results.
Fourth, and this is where you contribute most to the review as a cybersecurity professional, is the technical details and the price. Circumstances change all the time, so there is no way that the service description should remain unchanged between the current contract and the revised one. You may have commissioned or decommissioned something since you last signed, so make sure that what is in the new document is correct and current. During the most recent service period, have you come across things that you realized were missing? Are there costly elements in there that you haven’t really needed and which could come out? The price is directly proportional to the technical content, so the next term will never be the same as the current term. If the service provision is human-intensive, the price will almost certainly go upwards; on the other hand, we have seen services that are technology-based go down in price because the technology has become more commoditized over time and the price tag has dropped accordingly.
Finally, and most importantly: you are looking to renew your contract with your trusted supplier, with whom you’ve built an amazing relationship and which has provided you with an excellent service for years, so the most natural thing in the world is … make sure the penalty and termination clauses are absolutely crystal clear. Nobody wants to activate the penalty or termination clauses, but they are probably the most important component of any contract, because they are the elements that both parties will rely on if the supplier and client relationship breaks down beyond the point of recovery. As with any part of the agreement, the clauses need to be clear and fair and, above all, achievable.
While you are thinking about termination, think about the penalties for missing service level promises. For instance, service credits may not compensate a client adequately for the downside they experience. So be creative – maybe think of a penalty that will actually help matters, such as the provision of a senior relationship manager for a temporary period to help fix the problem, or maybe an extra 10 hours’ vulnerability remediation work for the coming month … or perhaps a huge cake with enormous candles, with the words “WE’RE SORRY” in big, pink icing.
Understanding the Contract Process is Key
Contracts are central to supplier relationships, but they are also absolutely core to the quality of the service those suppliers provide. If they are not properly reviewed when the time comes, they can be a threat to the quality of an organization’s operations and even a threat to individual security.
Related Insights