Cyber Insurance. What types of cyber insurance does the vendor have in place? New insurance products have emerged that are designed specifically to address first and third party claims related to data, including the costs of responding to a breach. If the vendor under consideration carries such insurance, the vendor will be in a better position to respond in the event of a breach. Does the vendor’s policy provide coverage for breach remediation and notification expenses? Management of breach response by counsel? Forensic investigation and credit monitoring services? Does the policy provide coverage for regulatory fines and penalties? Reimbursement for crisis management and public relations services? Does the policy contain exclusions baring coverage for mechanical failure, failure to maintain the computer network or system, failure to maintain risk controls or lack of encryption? Focusing on these questions before negotiating the vendor agreement can help the parties better understand the options that may be available with respect to liability and indemnification. What audit reports are available with respect to the vendor’s data security practices? Below are some examples of audit reports that are increasingly available to a vendor’s potential customers: A Service Organization Controls Report 2 (SOC 2) is intended to demonstrate that the organization’s internal controls related to security, availability, processing, integrity, confidentiality and data privacy are operating effectively. A SOC 2 Type I report focuses on management’s description of a service organizations’ system, and the suitability of the design of the controls. The SOC 2 Type II report focuses on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of the controls. The report includes an examination and confirmation of the steps involved, and an evaluation of the operating effectiveness of the controls for a stated period of time. The distinctions between a Type I report and a Type II report are subtle, but important. When evaluating a Type I report, the focus is on whether management has adequately described the system and adopted suitable controls for security, availability, processing, integrity, confidentiality and data privacy. The Type II report, in contrast, evaluates whether that system operates effectively. What type of report required depends on the nature of the engagement and the data to which the vendor will have access. SOC reports, which are typically reviewed by IA, are valuable because they are produced by independent third parties (typically auditors) who have verified the controls in place. More and more vendors, particularly those who host or process a large volume of confidential information, produce SOC reports as marketing tools that demonstrate to potential customers the seriousness with which they address data security. The absence of these reports for larger vendors could be a red flag. Not all vendors will have SOC reports, but may have substitute reports that will suffice to demonstrate a level of data security that a company will not be able to ascertain on its own. These include, but are not limited to, certificates of compliance with Payment Card Industry Data Security Standards (PCIDSS), International Organization for Standards 27001 and 27002 (ISO 27001 and 27001), TRUSTe certifications and Experian Independent Third Party Assessment (EI3PA) certifications.
Appears in 4 contracts
Samples: Vendor Agreements, Vendor Agreements, Vendor Agreements