If you haven’t recently reviewed your contracts, you may unknowingly be taking on responsibility for another party’s cybersecurity risk.
“If you’re signing contracts without legal review, or haven’t reviewed long-standing contracts, you’re likely carrying more liability than you think,” says Paul Hugenberg, III, CISSP, CRISC, CISA, principal, director of cybersecurity services at Rea & Associates. “Cybersecurity laws are quickly changing, and it’s incredibly important to know your industry. You need to have a clear understanding of your contracts and the risks they may be subjecting you to.”
Smart Business spoke with Hugenberg about understanding the cybersecurity risks contained in your contracts and how to avoid being held responsible for another party’s mistakes.
What clauses may be contained in contracts that could make a company liable for the actions of another business?
Entering into contracts is an everyday business activity, and their terms define what your duties are, what you’ll deliver and what your partner will pay for your services. In most contracts, you accept or assume that your partners accept liability for statutory or regulatory control for the data they will take possession of.
For example, in health care, a third-party vendor is held to similar HIPAA privacy standards over patient data as the health care provider. In that case, you need to ensure your business isn’t taking on all of the liability. If the contract language pushes all the responsibility onto you and the health care provider violates HIPAA, you may be liable, even though you didn’t necessarily do anything directly to put the data at risk.
In another example, if you’re buying a business, you’re often acquiring all of that company’s regulatory liability. Unfortunately, too many people fail to consider the cybersecurity liability exposure that is in that company’s contracts.
It is critical to clearly delineate who’s responsible for what.
Why is cybersecurity in business contracts a growing issue?
Most industries haven’t transitioned to the speed and velocity of cyber regulations, which are involved in almost every type of transaction. Templated contracts haven’t kept up with the changes. Every industry has data, and liability has shifted without people realizing it. Every contract needs to be reviewed annually for cybersecurity liability.
In addition, business owners — especially those of smaller businesses — are focused on turning out their product or offering their service, not on their cybersecurity risk. Companies are signing agreements that are not being vetted and they are not aware that they have taken on all of the liability of another business if there is a breach.
How can business owners protect themselves?
First, understand the laws and regulations around the space you’re operating in. Laws are constantly changing, and laws vary by state. Reach out to a specialist in your space, whether that’s an accounting firm or an attorney.
Then conduct an annual risk assessment. A specialist can uncover risks that aren’t on your radar when engaging third parties and isolate where the gaps are in cybersecurity liability. Ideally, this should be done before signing contracts, or at least before a problem arises. Too often, businesses do not review contracts until an issue arises.
It’s critical to immediately review all of your contracts for indemnification and liability clauses. You may be carrying more liability than you think, and it may be time to renegotiate.
And before you sign other agreements, have them reviewed by someone with knowledge of cyber security in contracts.
Insights Accounting is brought to you by Rea & Associates