In a previous post, we discussed the importance of implementing risk management in your contracts. In this post, we will discuss a business and liability risk that companies in the finance industry are facing now more than ever. These two topics are related with the ever-growing threat of malicious hackers. As many trend watchers claim, this is the era of big data, and with big data, comes big cybersecurity threats.

Business Risk: Subcontracting Vendors with Low Cybersecurity Standards

Jamie Dimon, Chairman and CEO of J.P. Morgan Chase, has released that their company spends $200 millions and employs 600 people to fend off cybercriminals. He even expects that figure to climb by 20% to 40% per year for the next several years. Given these figures, it’s understandable that several other financial institutions are also making large strides towards cybersecurity.

No matter how careful your company is, it will still have a crack in its IT shield if it uses subcontractors with sub-par cybersecurity practices. Some business relationships may go back for so long that you are keeping them for their history rather than for their performance. To address this business risk you should review clauses on a quarterly or annual basis, so you can evaluate whether or not the terms of the  contract are still appropriate.

Your financial institution needs to be protected from businesses that have IT security practices below the industry standard. Your CTO should be the main advisor as how to evaluate the IT protection measures from vendors and how to draft specific contract clauses. After final review and approval, these contract clauses will become part of the library of your contract management system, so the process is much smoother with future contracts.

Liability Risk: Protection from Data Leaks

Beyond being a PR nightmare, the unintentional release of personal identifiable financial information is an issue that carries legal consequences. The best example in the private sector is the recent data breach of millions of credit card numbers from Target customers. Target and Trustwave Holdings Inc, a credit-card security firm, are in a legal battle of who ultimately holds the responsibility for the data breach.

On the other hand, the public sector is not exempt from attacks from cyberthiefs. While there are many contract management lessons from the launch of HealthCare.gov, one that stands out is that cybersecurity needs to be a main focus. There have been several reports that gaining access to a user account required very little coding skills. Through the access to a user’s account, a hacker could be on his way to obtain even more financial data from users.

To learn more about this topic, you should read about how to address contract issues with subcontractors.

Takeaway

These two examples demonstrate why your contracts need to include clauses that go into the details of what happens during a data leak such as who is responsible for what, and what the measures are that need to be taken to address the problem. Once these clauses are set, the manager responsible for a contract can make the process part of the contract in the contract management system. By setting proactive email alerts, to-do lists, and action items, the manager can lay out a clear framework to use in the event of a data breach moving forward.