This article is written by Somadatta Bandyopadhyay, pursuing a Diploma in Cyber Law, Fintech Regulations and Technology Contracts from LawSikho.

Introduction

With the increase in digitization and technological advancement, there is a spurt in cyber incidents that are being reported and publicized as well as an increase in awareness amongst the masses that there are imminent access points in projects through which attacks can be launched. This has become a central point of discussion in many boardrooms. To stay abreast of the threats is a challenge that the owners of the projects and the stakeholders are facing continuously. Therefore, it is absolutely necessary that proper contracts are drafted keeping cyber risks in mind and risk allocation measures are put in place. The contracts can act as an instrument for risk mitigation and help stall exposure to cyber risk to some extent. 

Cyber risks ensue from using electronic data and transmitting it over the internet using telecommunication networks. The risks can range from leak of integral and confidential data of individuals, organizations or even governments to fraudulent activities carried out as a subsequent menace of said leak. The origin of cyber risks can be companies looking to disrupt the operations of a rival company to gain competitive advantage or even governments trying to cause damage to the critical infrastructure of other governments and thereby launching cyber warfare attacks. 

Cyber intrusion can lead to loss of reputation notwithstanding the economic loss that can be of a significant measure. This is where a contract can come to the rescue by informing parties about the risks that can arise from the attacks and ways to mitigate the risks. Risk allocation is done to the party who occupies a position where it is seemingly more convenient to manage the risk especially if the party willfully agrees to bear the risk, albeit on the condition of a price premium. 

Why is considering cyber risk management necessary?

Let’s consider that a company outsources work with respect to its digital marketing. That also includes handling a lot of sensitive and confidential data of the customers of the company by having access to the database system. The outsourcing contract is negotiated and the terms and conditions are happily agreed to by and between the parties.

After a few months, it is brought to the knowledge of the outsourcing company that the confidential customer data has been made publicly accessible because of weak security provisions of the service provider company. A lot of questions ensue then, including the party liable for the breach and the extent of liability, which party would handle the brunt of the incident, which party’s insurance would be covering the loss. Hence why covering the questions by way of a contract would save both parties from huge losses. The key thing to keep in mind is to not let the aforementioned issues slip through among other negotiations for outsourcing.

Provisions to keep in mind

When two parties enter into a contract, a lot of negotiations happen over price and services which is why concerns over insurance, cybersecurity and liabilities don’t find a place in the discussions. Especially companies that explore outsourcing contracts. The negotiations are generally steered by the provider and purchaser of the services. 

Without contractual clarity over the same, there are possible disputes that can arise over the liabilities of the parties, who has the onus of covering the costs and who has to be handling the incidents. Hence, effective transfer of risk by way of a contract is imperative during the negotiations phase.

The most challenging part in case of a cyber-risk is always the identification of the party towards whom the risk can be channelized. The liabilities can be distributed based on the terms of the contract and would require a thorough analysis of the provisions of the contract including provisions related to compliances and the data law that is applicable, force majeure clause, insurance, provisions of data storage and transfer, among other things. 

Force Majeure

Parties are permitted to not perform their contractual obligations during the term of subsistence of the force majeure event, as long as the event is beyond the reasonable control of the affected party. Cyber risks or cyber-attacks are probably not as devastating as the traditional textbook force majeure natural disasters, therefore parties might not even consider putting in such a clause in the contract.

But, in order to bring in transparency in the contracts, dealing with risks should be given priority, and therefore by considering the sensitivity of the data that may be revealed around other parties, the measures of mitigation have to be set out. 

Insurance provisions

In case of big projects, the parties could need insurance policies to protect them against exposures from third parties and risks of different kinds. But special attention would need to be paid to insurance against third party liabilities, operation and construction covers for all kinds of risks, insurance in case there is any sort of delay in production or any interference in business, professional indemnity insurance as well as other statutory insurances. 

The main question that arises is who bears or to whom the responsibility of cyber risk can be shifted. Indemnification of loss by the other party is something the party to the contract should try to achieve. But since the other party would probably be wary of the significance of negotiations in case of exclusion of liabilities, therefore they can seek for a position of liability that would probably go hand-in-hand with their role and responsibility instead of having the entire liability shifted to them.  

The management of cyber risks can be done by having a single contact point in the form of a security provider. This way the parties to the contract can also have the advantage of only reaching out to a single party if things have to ever go wrong, instead of scurrying around for help.  By engaging the services of a single cybersecurity provider, owners may be able to benefit from the advantage of having a single point of responsibility to look to if things go wrong. 

Setting limits

One way to consider and mitigate the risks arising out of the cyber-attacks start with companies setting a particular amount limit, depending on the revenue generated as well as the size of the company, of the contract. The contract can be a guide to the risk associated with the business as well the redeemable limit that can be set as safeguard. The questions that also need to be considered vary from, if anything goes wrong, what could be the potential damage for the same, if the services provided by the contract are minor regular and routine services or a mission critical service, the revenue generated by the service providing company in order to gauge the fair and reasonable limits to be set, whether the service provider is indeed handling or has anything to do with personal information, and also whether the liability of the service provider capped and if it is capped, can there exist a reasonable enough situation to ask for an insurance above and beyond the liability. 

Contract language

Being insured against cyber risks and having it written out in a contract would give a company the rights to instigate the payments in case of a breach. One very important consideration would be putting down an effective “right-to-audit” clause in the contract.

In case of contracts, where a party, because of the nature of services being offered, has to handle sensitive confidential data of the other party, it should be mandatorily required to protect said data. Such contracts should go beyond the traditional “provide appropriate security controls” mentions and should look into more intricate and extensive standards like segregating the data, measures and restrictions if there is a need that arises to store said data in a particular location other than where it is normally housed as well as a detailed methodology of the security practices.

When it comes to right-to-audit clauses, parties are allowed to audit or check the other party’s security and safety protocols and procedures. This can act as a filtering mechanism by which service-providing parties that do not live up to the standard can be eliminated. This helps reinstate to other service providers that complying to security protocols is an obligation.  Services being outsourced does not mean liabilities can be outsourced too. Explicitly stating provisions of insurance and indemnity makes the process of a liability claim a lot smoother in case a breach arises.

Conclusion

With the passing time, cyber risk management is slowly but surely making its way into contracts. Since the losses incurring from cyber-attacks can range from loss in terms of economy, in terms of reputation to physical damage, the entire thought of it is daunting. But even with the threats being unprecedented and unexpected, it can be managed with proper assessment of risk, doing due diligence, and thereby proper allocation of said risk. The entire scare around cyber risk can be successfully handled with cyber resilience and the consequences can also be done away with.

Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skill.