Back to Playbook Visit Our Blog

Capability
Legal and Procurement

Contractually enforce third-party security performance requirements and the right to audit. Leverage purchasing events to force closure of open third-party issues.

What

Contractually enforce third-party security performance requirements and the right to audit. Require notification of any material security breach. Leverage purchasing events to motivate closure of open issues. 

Why

Contractual obligations motivate third parties to have at least a basic risk management program. It also gives you a basis of transparency and accountability to hold them to performance obligations. 

Issuance of new purchase contracts can be a strong leverage point to motivate third parties to address outstanding issues. 

How

Develop template contract language that establishes risk performance requirements. Include these terms in contracts where inherent risk deems necessary. Don’t allow exceptions without serious consideration and formal risk acceptance by executive management. 

Use purchasing events as leverage to get third parties to address open issues. 

Practice Status Adoption
Contractually commit third parties to meet your security risk performance requirements. Common 90%
Contractually obligate third parties to allow you to audit their security risk performance. Common 90%
Contractually obligate third parties to provide timely notification of material data breaches and other security events. Common 90%
Require executive approval for exceptions to contractual risk management terms. Common 73%
Require that new vendors address material issues prior to awarding the purchase order. Common 53%
Require that existing vendors address material open issues prior to expanding the contract or issuing a new purchase order. Emerging 27%