Legal Blog

How Small Businesses Can Reduce Their Third-Party Cybersecurity Liability

Maryland Cybersecurity AttorneyIn a survey published last June, PricewaterhouseCoopers found that the majority of U.S. businesses are unprepared for a cybersecurity breach. Indeed, fewer than half (44%) have implemented processes for evaluating third parties before entering into agreements with them, and only 31% include security provisions in contracts with external vendors and suppliers. For small and mid-sized businesses, PwC’s findings should be particularly worrisome. As cyber attacks show no signs of abating in the next decade, smaller firms are increasingly the targets of hacks and data breaches. As many as 60% of these companies are unable to pick up the pieces after an attack, and often are  shut down due to a single vulnerability in the supply chain. Factor in the various vendors, suppliers, and subcontractors linked together in today’s digitally interconnected environment and the threat exponentially multiplies. Even if your business has adopted cybersecurity best practices for itself, it may remain just as exposed as its most defenseless contractor. Fortunately, there are several straightforward steps a business can take to reduce its third-party liability:

Create a Cyber Action Plan

When an incident occurs, the potential damage increases with every passing minute. In order to protect your customers and mitigate your loss, you need to be able to act and communicate  with contractors and others as quickly as possible. If you have not done so already, keep all of your contracts organized in a centralized database. Create a cyberattack response procedure that addresses the following questions:

  • Definition: what constitutes a data breach?
  • Roles: who is responsible for notifying and disseminating information between affected parties?
  • Contracts: who is contacted and what information should be provided to each contact?
  • Methodology: how is the situation communicated to ensure maximum safety and expediency? What methods are technologies are used?

Once you have finalized the action plan, pieces of it may need to be added to existing and future contracts.

Review Your Contracts

Contracts are powerful cybersecurity tools, primarily because of their role in establishing liability. A well-drafted agreement should include, representations and warranties and an indemnification clause as well as language pertaining to each party’s legal, financial, and disclosure obligations in the event of an attack. In addition, make sure all contracts require compliance with current federal standards and requirements. Since cybersecurity is a rapidly-evolving market and U.S. and international frameworks change constantly, you will need to regularly review and make necessary changes to active contracts—an arduous task, but an imperative one nonetheless.

Consider Buying Insurance

Various cybersecurity insurance policies are available to cover the costs of an attack. Find out if your contractors have insurance. If not, it is not a bad idea to compel them to get coverage through contractual requirements.

Talk to a Lawyer

Whether you need assistance finding a cybersecurity insurance policy, drafting or updating contracts, staying up to date on current standards, or instituting a response policy, talk to an attorney. Offit Kurman’s cybersecurity practice group was founded to help regional businesses stay protected and profitable in the face of computer viruses and data theft. Click here to learn more about our cybersecurity services. If you would like to talk to me about reducing your third-party cybersecurity liability, or any other cybersecurity legal matter, click here to get in touch.


Social Media PolicyMr. Tolchin’s practice is focused on government contracting, cybersecurity,business litigation, and technology matters. In government contracting issues, Mr. Tolchin represents prime and subcontractors in contract negotiation and formation matters and in disputes involving both government and commercial business issues. He has been involved in procurement cases before many of the federal and state boards of contract appeal, Government Accountability Office, Small Business Administration, United States Court of Federal Claims, Court of Appeals for the Federal Circuit and other federal and state courts across the United States. His Business litigation practice involves large and small matters in federal and state courts and before numerous arbitration panels. In the technology arena, Mr. Tolchin has assisted in disputes, licensing, and business development matters for clients ranging from startups to Fortune 500 companies. You can connect with Offit Kurman via FacebookTwitterGoogle+YouTube, and LinkedIn. WASHINGTON | BALTIMORE | FREDERICK | PHILADELPHIA | WILMINGTON | VIRGINIA | NEW YORK CITY