Patching Up Your Information Security Review
In light of recent significant ransomware cyberattacks such as the one that originated in Ukraine and quickly spread to affect hundreds of thousands of computers in more than 150 countries, we wanted to provide a few pointers on shoring up your company’s contractual language to mitigate (or at least shift) the risks involved with these types of attacks.
The latest ransomware attack was designed around vulnerabilities in operating system software. In March, prior to the attack, these vulnerabilities were patched by the provider of the software. Thus, the victims of the ransomware were those that failed to properly install the fix. Ensuring that your vendors timely patch software affecting your organizations’ sensitive systems is vital. To that end, we suggest including express provisions requiring that patching important security fixes be performed, validated, and confirmed within a specific number of days from release.
Ransomware attacks that deny access to your company’s systems should be specifically included in disaster recovery and business continuity plans and obligations. Many of these plans and obligations are designed around natural disasters or workforce-related issues, but cybersecurity events are becoming much more of a risk.
Force majeure clauses can be a major escape mechanism for responsibility under agreements if such clauses include cyberattacks in the definition. Your company should take the position, at a minimum, that any cyberattack that occurs due to a breach of your company’s information security policies is specifically excluded from force majeure provisions.
With all the recent press on these issues, it’s a good time to take a fresh look at your information security policies to ensure that cyberattacks of this sort are given an appropriate measure of thought in your agreements.