Contractually enforce third-party security performance requirements and the right to audit. Require notification of any material security breach. Leverage purchasing events to motivate closure of open issues.
Contractual obligations motivate third parties to have at least a basic risk management program. It also gives you a basis of transparency and accountability to hold them to performance obligations.
Issuance of new purchase contracts can be a strong leverage point to motivate third parties to address outstanding issues.
Develop template contract language that establishes risk performance requirements. Include these terms in contracts where inherent risk deems necessary. Don’t allow exceptions without serious consideration and formal risk acceptance by executive management.
Use purchasing events as leverage to get third parties to address open issues.
|Contractually commit third parties to meet your security risk performance requirements.||Common||90%|
|Contractually obligate third parties to allow you to audit their security risk performance.||Common||90%|
|Contractually obligate third parties to provide timely notification of material data breaches and other security events.||Common||90%|
|Require executive approval for exceptions to contractual risk management terms.||Common||73%|
|Require that new vendors address material issues prior to awarding the purchase order.||Common||53%|
|Require that existing vendors address material open issues prior to expanding the contract or issuing a new purchase order.||Emerging||27%|