Contract Reviews

Set all the terms and conditions formal and legal to remain harmless. Use Defentrix Contract Review Services to dig deep into minute points that may have a major impact quite often.

Bind your Third Parties legally with contracts from both sides

Negotiating contract terms is an art and can be tricky. This is usually done with the help of facts and inputs from various stakeholders like

  • Business Unit (level of service, uptime, deliverables)
  • TPRM (Inherent and residual risk)
  • Procurement
  • Other teams
  • Legal
  • Applicable laws & regulations – Privacy, Financial, Healthcare, Insurance
  • Implications & Insurance
  • Liability & Indemnity
  • Audit

Often, It’s a lengthy process which can run from a few days to a few months and sometimes a whole year. Carefully drafting the right language with justification can enforce favorable terms in the contract and protect your organization.

Security Due Diligence performed on Third Parties are point-in-time assessments but the expectation from Third Parties is to maintain an effective and efficient security framework through the term of engagement with your organization. One way to legally force Third Parties to keep their guard up at all times is to contractually oblige by adding necessary security clauses in the contract/MSA/Agreement. Associated clauses on liability and indemnity should be added to protect the organization if there is any lapse in practicing security.

This is one of the crucial and tricky parts, as the agreed terms are generally negotiated once before onboarding unless there is a material change in the agreed scope due to the following reasons:

Way services are delivered or consumed

Services extending into new geographies

Per renewal cycle

While off-boarding Third Parties.

Common Challenges Faced by the Businesses

Third Parties with a monopoly in the industry or who have the advantage of being the only provider in the region often have an upper hand in negotiating the contract clauses which leaves very little room for negotiation. Thus, leading to a compromise in accepting their terms which may not be as mature as your security standard. Less coverage is inversely proportional to Liability and Indemnity which exposes your organization to risks.

It is also observed that adding the entire security exhibit will result in delays and extended timelines as multiple teams from both parties need to review changes and make the process less efficient and less productive. Inputs from the outcome of due diligence should be factored in to include additional clauses for example, as

  • Achieving ISO 27001 certification in the next quarter
  • Conducting an external VPAT in the next month
  • Enforcing security awareness training by the year-end
  • Roadmap for future certification

The additional clauses give assurance to management and commitment from the Third Party to oblige if not leading the breach of contract.

What we do in the TPRM Contract Reviews Phase

Guidelines on how to approach the contract review process from a Security and Legal standpoint.

Create a methodical process with inputs from engagement overview, data flow, assessment findings, risks identified, regulations, security standards etc.

Create versions of security exhibits satisfying various categories of Third Parties and criteria.

Having customized versions of security exhibits to cater to different categories of Third Parties eases the contract review and negotiation process

Simplified process-oriented review based on facts and future roadmap

A well-defined contract review process focusing on a clear RACI reduces the overhead and overall time taken to finalize the contract and an approved escalation process by the stakeholders will help the business to seamlessly execute the contract

Threshold to accept changes to a defined and agreed level within the risk appetite of the organization against each clause

Standard security clauses in contracts are often pushed back by Third Parties, so mindful consideration of the allowed deviation needs to be documented and approved by senior management

Document justification for each clause in the exhibit

As per the best practice in the industry, the applicability of the clause should be given with a brief description to facilitate understanding of the inclusion

Appropriate Liability and Indemnity clauses to support from an incident or breach perspective

Security incidents affecting your organization should be communicated in adherence to the SLA defined and should be audited. Cooperation and support from Third Parties during incident investigation by the regulatory authorities must be factored in

Inventory of all processed contracts

Back dated iterations of the contract or agreement will come in handy during re-negotiation and during the renewal of contract. Crucial from the Internal Audit standpoint and facilitates training resources internally

Guidelines to Procurement and Legal

Standard way to approach critical and non-critical categories of Third Parties from the Business and security perspective

Benefits associating with Defentrix under TPRM Contract Reviews

Customized security exhibit

Negotiate terms that are favorable to your organization

The business is aware of the length and breadth of the impact due to missing or ineffective clauses

Templates to ease the documentation (e.g., for attestation from a Third party)

Training/workshop on the best methods to approach contract/agreement reviews

Worried about your Information Security and TPRM?

Contact us today for complete consulting and implementation of Information Security

Latest Resources

2024 Leadership Vision for Third Party Risk Management (TPRM)

2024 Leadership Vision for Third Party Risk Management (TPRM)

CISOs have a diverse array of rapidly evolving priorities, threats, demands, regulatory pressures, and technology changes to address. Leaders need a structured approach to today's security and risk landscape covering third-party risk. This blog sheds light on...

TPRM Awareness, upskill and cross skill

TPRM Awareness, upskill and cross skill

The security world is very diversified, with the majority of the organizations practicing defensive security while a few have adopted offensive security as well. Security professionals need to keep abreast with developments in Third Party Risk Management space and...

DPDP Act 2023 (India) and Third Party Risk Management (TPRM)

DPDP Act 2023 (India) and Third Party Risk Management (TPRM)

The impact of globalization, social networking, outsourcing, adoption of cloud and technologies, cross border data flows are some of the prominent reasons why data collection and sharing is ubiquitous in this digital age. Many countries have realized the importance of...