July 17, 2018

July 17, 2018

Subscribe to Latest Legal News and Analysis

July 16, 2018

Subscribe to Latest Legal News and Analysis

Patching Up Your Information Security Review

In light of recent significant ransomware cyberattacks such as the one that originated in Ukraine and quickly spread to affect hundreds of thousands of computers in more than 150 countries, we wanted to provide a few pointers on shoring up your company’s contractual language to mitigate (or at least shift) the risks involved with these types of attacks.

  • The latest ransomware attack was designed around vulnerabilities in operating system software. In March, prior to the attack, these vulnerabilities were patched by the provider of the software. Thus, the victims of the ransomware were those that failed to properly install the fix. Ensuring that your vendors timely patch software affecting your organizations’ sensitive systems is vital. To that end, we suggest including express provisions requiring that patching important security fixes be performed, validated, and confirmed within a specific number of days from release.

  • Ransomware attacks that deny access to your company’s systems should be specifically included in disaster recovery and business continuity plans and obligations. Many of these plans and obligations are designed around natural disasters or workforce-related issues, but cybersecurity events are becoming much more of a risk.

  • Force majeure clauses can be a major escape mechanism for responsibility under agreements if such clauses include cyberattacks in the definition. Your company should take the position, at a minimum, that any cyberattack that occurs due to a breach of your company’s information security policies is specifically excluded from force majeure provisions.

With all the recent press on these issues, it’s a good time to take a fresh look at your information security policies to ensure that cyberattacks of this sort are given an appropriate measure of thought in your agreements.

Copyright © 2018 by Morgan, Lewis & Bockius LLP. All Rights Reserved.


About this Author

Doneld Shelkey, Technology attorney, Morgan Lewis

Doneld G. Shelkey represents clients in global outsourcing, commercial contracts, and licensing matters, with a particular focus on the e-commerce and electronics entertainment industries. Doneld assists in the negotiation of commercial transactions for domestic and international manufacturers, technology innovators, and retailers, and counsels clients in the e-commerce and electronics entertainment industries on consumer licensing and virtual property matters.

617 341 7599
Alexandra Good, Morgan Lewis Law Firm, Pittsburgh, Corporate Law Attorney

Alexandra (Ali) Good focuses her practice on mergers and acquisitions, commercial transactions, securities, and general corporate matters. Ali represents clients that include public and private companies, financial institutions, and venture capital and corporate investors and advises clients ranging from Fortune 500 companies to emerging market companies.