September 15, 2019

September 13, 2019

Subscribe to Latest Legal News and Analysis

September 12, 2019

Subscribe to Latest Legal News and Analysis

Organizations Increasingly Meet Cybersecurity Needs Through Outsourcing

According to a recent Intel Security report, 60% of IT decisionmakers surveyed work at organizations that outsource at least some cybersecurity work, a trend driven partially in response to in-house cybersecurity skill shortages. Although organizations of all sizes face cybersecurity risks of increasing diversity and sophistication, 82% of respondents reported challenges in hiring enough skilled cybersecurity workers to address those risks, a challenge that is being met by outsourcing many cybersecurity functions.

According to the report, the cybersecurity functions most frequently outsourced are risk assessment and mitigation, network monitoring and access management, and repair of compromised systems. Organizations surveyed say that they will most likely expand outsourcing of cybersecurity functions in the future, with a majority surveyed expecting that cybersecurity solutions will be able to meet most of their organizations’ needs in five years. In particular, the functions most likely to be outsourced are those capable of automation. Almost 90% of respondents said that cybersecurity technology solutions could help compensate for skill shortages.

Companies should carefully consider the liability and other contract implications of outsourcing cybersecurity functions before turning to outsourced experts to manage cybersecurity risks. As we discussed in a past Contract Corner post, customers and service providers are generally focused on allocating cybersecurity liability in indemnification and liability provisions because of the potential for large-scale damages from a security incident. This concern is only amplified for agreements focused on cybersecurity services. The following are some key issues to consider when negotiating these contract provisions:

  • Rather than relying on general negligence or contract breach standards, consider adding security incidents resulting from a contractual breach as separate grounds for indemnification coverage.

  • Determine whether indemnification is limited to third-party claims or includes other direct and/or indirect damages and liabilities caused by a security incident.

  • Coordinate indemnification defense with incident response provisions and consider the effect on a customer’s client relationships where the vendor assumes such defense.

  • Assess whether all potential damages from a security incident are covered by the damages provisions, including any damages that may be considered indirect or consequential.

  • To determine the allocation of liability, consider the contract value, industry norms, type of data at issue, potential business exposure, cost of preventative measures, and cause of the security incident.

  • Consider calling out specific damages related to a security breach that are not subject to any cap or exclusion to provide clarity and protection—such damages can include the costs of reconstructing data, notifying clients, and providing them with identity protection services.

Read our complete Contract Corner series on cybersecurity:

Copyright © 2019 by Morgan, Lewis & Bockius LLP. All Rights Reserved.

TRENDING LEGAL ANALYSIS


About this Author

Barbara Melby, Morgan Lewis, data privacy and cybersecurity lawyer
Partner

Barbara Melby has been active in the outsourcing and technology transaction legal market for the last 25 years. As leader of the firm’s technology, outsourcing & commercial transactions practice, she represents clients in such complex transactions as outsourcing, strategic alliances, technology and data-related agreements, and other services transactions. She also advises businesses on privacy and security issues that arise in transactions involving sensitive data and technologies.

215-963-5053
Glen Rectenwald, Morgan Lewis, Technology Attorney
Associate

Glen W. Rectenwald focuses his practice on technology, outsourcing, and commercial transactions. He regularly assists a broad range of clients with development, licensing, and distribution agreements; strategic alliances and joint ventures; manufacturing and supply agreements; complex outsourcing and strategic commercial transactions; and general commercial matters. Glen’s experience also includes mergers and acquisitions, private equity, venture capital, and general corporate matters.

412-560-7413