December 16, 2017

December 15, 2017

Subscribe to Latest Legal News and Analysis

December 14, 2017

Subscribe to Latest Legal News and Analysis

December 13, 2017

Subscribe to Latest Legal News and Analysis

Patching Up Your Information Security Review

In light of recent significant ransomware cyberattacks such as the one that originated in Ukraine and quickly spread to affect hundreds of thousands of computers in more than 150 countries, we wanted to provide a few pointers on shoring up your company’s contractual language to mitigate (or at least shift) the risks involved with these types of attacks.

  • The latest ransomware attack was designed around vulnerabilities in operating system software. In March, prior to the attack, these vulnerabilities were patched by the provider of the software. Thus, the victims of the ransomware were those that failed to properly install the fix. Ensuring that your vendors timely patch software affecting your organizations’ sensitive systems is vital. To that end, we suggest including express provisions requiring that patching important security fixes be performed, validated, and confirmed within a specific number of days from release.

  • Ransomware attacks that deny access to your company’s systems should be specifically included in disaster recovery and business continuity plans and obligations. Many of these plans and obligations are designed around natural disasters or workforce-related issues, but cybersecurity events are becoming much more of a risk.

  • Force majeure clauses can be a major escape mechanism for responsibility under agreements if such clauses include cyberattacks in the definition. Your company should take the position, at a minimum, that any cyberattack that occurs due to a breach of your company’s information security policies is specifically excluded from force majeure provisions.

With all the recent press on these issues, it’s a good time to take a fresh look at your information security policies to ensure that cyberattacks of this sort are given an appropriate measure of thought in your agreements.

Copyright © 2017 by Morgan, Lewis & Bockius LLP. All Rights Reserved.

TRENDING LEGAL ANALYSIS


About this Author

Donald G. Shelkey, Attorney, Morgan Lewis Law FIrm
Associate

Doneld G. Shelkey is an associate in Morgan Lewis's Business and Finance Practice. Mr. Shelkey focuses his practice on representing clients in a variety of commercial contract and licensing transactions, including the outsourcing of information technology and business process functions. He recently assisted in a large business process outsourcing for a large global pharmaceutical company. Mr. Shelkey routinely assists in the negotiation of commercial transactions for leading foreign and domestic companies in the steel industry. He also has a strong background in the e-...

412.560.7727
Alexandra Good, Morgan Lewis Law Firm, Pittsburgh, Corporate Law Attorney
Associate

Alexandra (Ali) Good focuses her practice on mergers and acquisitions, commercial transactions, securities, and general corporate matters. Ali represents clients that include public and private companies, financial institutions, and venture capital and corporate investors and advises clients ranging from Fortune 500 companies to emerging market companies.

412-560-7450