{"id":10291,"date":"2021-05-27T23:09:37","date_gmt":"2021-05-27T21:09:37","guid":{"rendered":"https:\/\/www.agilit.law\/?p=10291"},"modified":"2021-05-27T23:09:37","modified_gmt":"2021-05-27T21:09:37","slug":"cyber-risk-management-based-on-contracts-a-fundamental-element-of-an-effective-cyber-governance-strategy","status":"publish","type":"post","link":"https:\/\/www.agilit.law\/en\/it-personal-data\/cyber-risk-management-based-on-contracts-a-fundamental-element-of-an-effective-cyber-governance-strategy\/","title":{"rendered":"Cyber Risk Management based on Contracts &#8211; a fundamental element of an effective cyber governance strategy"},"content":{"rendered":"<p>With the increasing use of teleworking as a result of the health crisis, the security of information systems, which was already a major issue, has become more than ever a question of strategy and even a vital matter for businesses. While most players have boosted the implementation of internal technical measures and their investments therein, it is also important to consider the risk arising from the ecosystem in which a business operates.<\/p>\n<p><strong>\u00a0<\/strong><\/p>\n<p>&nbsp;<\/p>\n<h2><strong>The risk in connection with third-party service providers<\/strong><\/h2>\n<p>The <em>Agence nationale de la s\u00e9curit\u00e9 des syst\u00e8mes d&#8217;information <a href=\"https:\/\/www.ssi.gouv.fr\/uploads\/2017\/01\/guide_hygiene_informatique_anssi.pdf\" target=\"_blank\" rel=\"noopener\">(ANSSI)<\/a><\/em> [French National Cybersecurity Agency] states that <a href=\"https:\/\/www.ssi.gouv.fr\/uploads\/2017\/01\/guide_hygiene_informatique_anssi.pdf\" target=\"_blank\" rel=\"noopener\">\u201c<\/a><strong><em>the partner [must] by default be considered unsafe\u201d.<\/em><\/strong> In the second edition of its guidebook <a href=\"https:\/\/www.nxtbook.fr\/newpress\/CEIDIG\/l_essentiel-de-la-securite-numerique-pour-les-dirigeants-et-les-dirigeantes-2eme-edition\/index.php?xtor=anssi#\/p\/Couverture\" target=\"_blank\" rel=\"noopener\"><em>L\u2019essentiel de la s\u00e9curit\u00e9 num\u00e9rique pour les dirigeantes et les dirigeants<\/em><\/a>, [The basics of digital security for managers], the <em>Conseil de l\u2019\u00c9conomie et de l\u2019Information du Digital<\/em> (CEIDIG) [French digital economy and information council]\u00a0 warns of the risk of a \u201cstray bullet\u201d:<\/p>\n<p>\u201c<strong><em>The ever-increasing interconnection <\/em><\/strong><em>between businesses, partners and service providers poses a serious domino effect problem in the event of one of them being compromised. <strong>It is possible for a business not to be targeted directly but still be affected through one of its partners victim of an attack, and thereby for its systems to be infected.<\/strong><\/em>\u201d<\/p>\n<p>&nbsp;<\/p>\n<p>A few figures to illustrate this issue in concrete terms:<\/p>\n<ul>\n<li><strong>60% of security breaches directly or indirectly involve a third-party supplier <\/strong>(\u201c<a href=\"https:\/\/papers.ssrn.com\/sol3\/papers.cfm?abstract_id=3532024\" target=\"_blank\" rel=\"noopener\">Threats and Major data breaches: Securing Third-Party Vendors\u00a0<\/a>\u201d in SSRN Electronic Journal).<\/li>\n<li><strong>58% of cyber-attacks are opportunistic<\/strong> (Benchmark CERT Wavestone September 2019 August 2020), that is to say, cyber attackers will exploit a vulnerability wherever they find one without necessarily aiming for a particular target.<\/li>\n<li>Since SMEs are generally less well protected, they may be targeted by cyber-attacks and constitute critical entry points: <strong>43% of cyber-attacks target small businesses<\/strong> (Kaspersky survey, April 2020).<\/li>\n<li>More importantly, <strong>60% of attacks are due to \u201chuman errors\u201d<\/strong> (Accenture, \u201cState of security report 2020\u201d); As Alice Cherif, then the head of the cyber criminality department of the Public Prosecution Services in Paris, <a href=\"https:\/\/www.lefigaro.fr\/actualite-france\/trafics-chantage-espionnage-les-cyber-juges-contre-le-darkweb-20200224\" target=\"_blank\" rel=\"noopener\">already emphasised in February 2020<\/a>, \u201c<em>irrespective of the cyber security tools that you may implement, at the root of all these incidents, <strong>you will always find human error<\/strong>. There will always be somebody who clicks on the link or attachment when they ought not to, and then it\u2019s already too late, the damage is done&#8230;<\/em>\u201d. The training and commitment of employees is therefore absolutely essential to tackle cyber threats.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>Moreover, it should be remembered that more than just a matter of protecting businesses, security is also a regulatory requirement. Article 32 of the GDPR provides an obligation of security and French Data Protection Authority [<em>Commission Nationale pour l\u2019Informatique et les Libert\u00e9s<\/em> (CNIL)] has <a href=\"https:\/\/www.agilit.law\/droit-technologie-et-informations-donnees-personnelles\/thematiques-prioritaires-de-controle-de-la-cnil-pour-2021-cybersecurite-cookies-et-donnees-de-sante\/\" target=\"_blank\" rel=\"noopener\">made cyber security one of its priority areas of control for 2021<\/a><strong>. <\/strong>The risk of incurring a sanction from the CNIL is therefore a further potential consequence of failure to implement the necessary security measures.<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<h2><strong>What is the solution?<\/strong><\/h2>\n<p>The combination of these various factors means that <em>\u201cin order to avoid becoming a collateral victim, it is essential to focus on the security of the businesses in one&#8217;s ecosystem and demand guarantees as to their level of security.\u201d <\/em>(CEIDIG). Consequently, implementing an effective cyber security strategy necessarily includes measures relating to suppliers, service providers and partners.<\/p>\n<p>In this respect, while cyber risk may be mitigated by internal technical measures, a contract is the only means by which it is possible to impose on a third-party service provider the implementation of technical and organisational measures. A global approach must be taken: technical guarantees must be required but it is also necessary to obtain commitments relating in particular to staff training to limit the risk of human error.<\/p>\n<p>A \u201ccyber security\u201d dimension must therefore feature in all legal instruments. It is also essential to conduct inspections to verify that partners are complying with the contracts and with regulations.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>With such approach it is possible not only to protect a business\u2019s IT systems by increased vigilance exercised by the service provider and compliance with respect to sensitive aspects, but also to satisfy one\u2019s statutory obligations in security matters and enable the establishment of the liability of third-party partners in case of failure on their part. <\/strong><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<h2><strong>What action should be taken?<\/strong><\/h2>\n<p>For an effective contractual strategy for the management of cyber risk, it is possible to identify three stages:<\/p>\n<p>&nbsp;<\/p>\n<ol>\n<li><strong>Identification of the relevant third-party service providers<\/strong>: knowledge of the ecosystem is an essential preliminary step in defining the risk for each actor and applying any contemplated solutions in a standardised manner, or, if necessary, adapting them to the specific circumstances of service providers.<\/li>\n<li><strong>Assessment of maturity level<\/strong>: utilisation of a security questionnaire enabling a detailed analysis of the characteristics of each services provider and hence a cyber security clause drafted with precision.<\/li>\n<li><strong>Drafting the cyber security clause<\/strong>: clear commitments from the contracting party enabling its liability to be established with greater ease in the event of an incident. The clause should, in particular, include:<\/li>\n<\/ol>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>undertakings relating to providing regular training to staff on IT system security;<\/li>\n<li>a list of technical requirements and an undertaking to maintain a precise level of security (e.g. compliance with standards, application of identified practices etc.); and<\/li>\n<li>incident management and notification rules (timeframes, cooperation).<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>For a more general approach to good practice in matters of security, please see our article entitled \u201c<a href=\"https:\/\/www.agilit.law\/droit-technologie-et-informations-donnees-personnelles\/quelques-reflexes-a-ne-pas-negliger-en-matiere-de-securite-des-donnees-a-caractere-personnel\/\" target=\"_blank\" rel=\"noopener\">A few measures not to be skipped in matters of personal data security!<\/a>\u201c (in French).<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p><em>AGIL\u2019IT&#8217;s \u201cIT Cyber Criminality &amp; Data Protection\u201d Department is available to assist you in preventing cyber risk, compliance with applicable regulations and recommendations for the prevention of malicious cyber activity as well as for the management of your cyber crises.<\/em><\/p>\n<p>&nbsp;<\/p>\n<p>By\u00a0<a href=\"https:\/\/www.agilit.law\/\" target=\"_blank\" rel=\"noopener\">AGIL\u2019IT<\/a>\u00a0\u2013 <a href=\"https:\/\/www.agilit.law\/expertises\/technologies-de-linformation-donnees-personnelles\/\" target=\"_blank\" rel=\"noopener\">IT<\/a>,\u00a0<a href=\"https:\/\/www.agilit.law\/expertises\/telecommunications\/\" target=\"_blank\" rel=\"noopener\">Cyber Criminality<\/a>\u00a0&amp;<a href=\"https:\/\/www.agilit.law\/expertises\/donnees-a-caractere-personnel\/\" target=\"_blank\" rel=\"noopener\">\u00a0Data protection<\/a> Department<\/p>\n<p><a href=\"https:\/\/www.agilit.law\/cabinet\/equipe\/sylvie-jonas\/\" target=\"_blank\" rel=\"noopener\">Sylvie JONAS<\/a>, Partner<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>With the increasing use of teleworking as a result of the health crisis, the security of information systems, which was already a major issue, has become more than ever a question of strategy and even a vital matter for businesses. While most players have boosted the implementation of internal technical measures and their investments therein,&hellip;<\/p>\n","protected":false},"author":13,"featured_media":9219,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[126],"tags":[],"coauthors":[99],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v21.3 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Cyber Risk Management based on Contracts - a fundamental element of an effective cyber governance strategy - AGIL&#039;IT<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.agilit.law\/en\/it-personal-data\/cyber-risk-management-based-on-contracts-a-fundamental-element-of-an-effective-cyber-governance-strategy\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Cyber Risk Management based on Contracts - a fundamental element of an effective cyber governance strategy - AGIL&#039;IT\" \/>\n<meta property=\"og:description\" content=\"With the increasing use of teleworking as a result of the health crisis, the security of information systems, which was already a major issue, has become more than ever a question of strategy and even a vital matter for businesses. While most players have boosted the implementation of internal technical measures and their investments therein,&hellip;\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.agilit.law\/en\/it-personal-data\/cyber-risk-management-based-on-contracts-a-fundamental-element-of-an-effective-cyber-governance-strategy\/\" \/>\n<meta property=\"og:site_name\" content=\"AGIL&#039;IT\" \/>\n<meta property=\"article:published_time\" content=\"2021-05-27T21:09:37+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.agilit.law\/wp-content\/uploads\/2021\/02\/contract-4085336_1920.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1920\" \/>\n\t<meta property=\"og:image:height\" content=\"1238\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Sylvie JONAS\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Sylvie JONAS\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.agilit.law\/en\/it-personal-data\/cyber-risk-management-based-on-contracts-a-fundamental-element-of-an-effective-cyber-governance-strategy\/\",\"url\":\"https:\/\/www.agilit.law\/en\/it-personal-data\/cyber-risk-management-based-on-contracts-a-fundamental-element-of-an-effective-cyber-governance-strategy\/\",\"name\":\"Cyber Risk Management based on Contracts - a fundamental element of an effective cyber governance strategy - AGIL&#039;IT\",\"isPartOf\":{\"@id\":\"https:\/\/www.agilit.law\/#website\"},\"datePublished\":\"2021-05-27T21:09:37+00:00\",\"dateModified\":\"2021-05-27T21:09:37+00:00\",\"author\":{\"@id\":\"https:\/\/www.agilit.law\/#\/schema\/person\/3c2aff137e0c93d643fa9ea0a0036f9c\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.agilit.law\/en\/it-personal-data\/cyber-risk-management-based-on-contracts-a-fundamental-element-of-an-effective-cyber-governance-strategy\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.agilit.law\/en\/it-personal-data\/cyber-risk-management-based-on-contracts-a-fundamental-element-of-an-effective-cyber-governance-strategy\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.agilit.law\/en\/it-personal-data\/cyber-risk-management-based-on-contracts-a-fundamental-element-of-an-effective-cyber-governance-strategy\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.agilit.law\/en\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cyber Risk Management based on Contracts &#8211; a fundamental element of an effective cyber governance strategy\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.agilit.law\/#website\",\"url\":\"https:\/\/www.agilit.law\/\",\"name\":\"AGIL&#039;IT\",\"description\":\"Make things simple\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.agilit.law\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.agilit.law\/#\/schema\/person\/3c2aff137e0c93d643fa9ea0a0036f9c\",\"name\":\"Sylvie JONAS\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.agilit.law\/#\/schema\/person\/image\/6bcd277be005faec539f89eb887063dd\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/62864e6853bc3f79a4edd67268d7c87b?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/62864e6853bc3f79a4edd67268d7c87b?s=96&d=mm&r=g\",\"caption\":\"Sylvie JONAS\"},\"url\":\"https:\/\/www.agilit.law\/en\/author\/sylvie\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Cyber Risk Management based on Contracts - a fundamental element of an effective cyber governance strategy - AGIL&#039;IT","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.agilit.law\/en\/it-personal-data\/cyber-risk-management-based-on-contracts-a-fundamental-element-of-an-effective-cyber-governance-strategy\/","og_locale":"en_US","og_type":"article","og_title":"Cyber Risk Management based on Contracts - a fundamental element of an effective cyber governance strategy - AGIL&#039;IT","og_description":"With the increasing use of teleworking as a result of the health crisis, the security of information systems, which was already a major issue, has become more than ever a question of strategy and even a vital matter for businesses. While most players have boosted the implementation of internal technical measures and their investments therein,&hellip;","og_url":"https:\/\/www.agilit.law\/en\/it-personal-data\/cyber-risk-management-based-on-contracts-a-fundamental-element-of-an-effective-cyber-governance-strategy\/","og_site_name":"AGIL&#039;IT","article_published_time":"2021-05-27T21:09:37+00:00","og_image":[{"width":1920,"height":1238,"url":"https:\/\/www.agilit.law\/wp-content\/uploads\/2021\/02\/contract-4085336_1920.jpg","type":"image\/jpeg"}],"author":"Sylvie JONAS","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Sylvie JONAS","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.agilit.law\/en\/it-personal-data\/cyber-risk-management-based-on-contracts-a-fundamental-element-of-an-effective-cyber-governance-strategy\/","url":"https:\/\/www.agilit.law\/en\/it-personal-data\/cyber-risk-management-based-on-contracts-a-fundamental-element-of-an-effective-cyber-governance-strategy\/","name":"Cyber Risk Management based on Contracts - a fundamental element of an effective cyber governance strategy - AGIL&#039;IT","isPartOf":{"@id":"https:\/\/www.agilit.law\/#website"},"datePublished":"2021-05-27T21:09:37+00:00","dateModified":"2021-05-27T21:09:37+00:00","author":{"@id":"https:\/\/www.agilit.law\/#\/schema\/person\/3c2aff137e0c93d643fa9ea0a0036f9c"},"breadcrumb":{"@id":"https:\/\/www.agilit.law\/en\/it-personal-data\/cyber-risk-management-based-on-contracts-a-fundamental-element-of-an-effective-cyber-governance-strategy\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.agilit.law\/en\/it-personal-data\/cyber-risk-management-based-on-contracts-a-fundamental-element-of-an-effective-cyber-governance-strategy\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.agilit.law\/en\/it-personal-data\/cyber-risk-management-based-on-contracts-a-fundamental-element-of-an-effective-cyber-governance-strategy\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.agilit.law\/en\/"},{"@type":"ListItem","position":2,"name":"Cyber Risk Management based on Contracts &#8211; a fundamental element of an effective cyber governance strategy"}]},{"@type":"WebSite","@id":"https:\/\/www.agilit.law\/#website","url":"https:\/\/www.agilit.law\/","name":"AGIL&#039;IT","description":"Make things simple","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.agilit.law\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.agilit.law\/#\/schema\/person\/3c2aff137e0c93d643fa9ea0a0036f9c","name":"Sylvie JONAS","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.agilit.law\/#\/schema\/person\/image\/6bcd277be005faec539f89eb887063dd","url":"https:\/\/secure.gravatar.com\/avatar\/62864e6853bc3f79a4edd67268d7c87b?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/62864e6853bc3f79a4edd67268d7c87b?s=96&d=mm&r=g","caption":"Sylvie JONAS"},"url":"https:\/\/www.agilit.law\/en\/author\/sylvie\/"}]}},"_links":{"self":[{"href":"https:\/\/www.agilit.law\/en\/wp-json\/wp\/v2\/posts\/10291"}],"collection":[{"href":"https:\/\/www.agilit.law\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.agilit.law\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.agilit.law\/en\/wp-json\/wp\/v2\/users\/13"}],"replies":[{"embeddable":true,"href":"https:\/\/www.agilit.law\/en\/wp-json\/wp\/v2\/comments?post=10291"}],"version-history":[{"count":5,"href":"https:\/\/www.agilit.law\/en\/wp-json\/wp\/v2\/posts\/10291\/revisions"}],"predecessor-version":[{"id":10297,"href":"https:\/\/www.agilit.law\/en\/wp-json\/wp\/v2\/posts\/10291\/revisions\/10297"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.agilit.law\/en\/wp-json\/wp\/v2\/media\/9219"}],"wp:attachment":[{"href":"https:\/\/www.agilit.law\/en\/wp-json\/wp\/v2\/media?parent=10291"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.agilit.law\/en\/wp-json\/wp\/v2\/categories?post=10291"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.agilit.law\/en\/wp-json\/wp\/v2\/tags?post=10291"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.agilit.law\/en\/wp-json\/wp\/v2\/coauthors?post=10291"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}