Beware – Cyber Security Language in Your Third-Party Contracts

cyber security contracts

Cyber security is a constantly changing field with constantly changing requirements. Recently, companies have found increasing technical jargon inserted into their contracts with third parties (ie customers and vendors).  These companies seek to ensure that they are protecting themselves from cyber threats by the way of third parties that they connect to.

However, this technical language is not just ‘jargon’ — it is something that is make-or-break for many clients and vendors. In other words, you need to become well-versed in this new cyber security language and be able to comply with its new requirements, if you are to gain new contracts and avoid losing out on business.

Take a look at some of the key examples of this new lexicon and stay on top of your customer contract requirements.

  • Penetration Testing

Penetration testing refers to a form of ‘white hat’ hacking, in which digital infrastructure and systems are subjected to test hacks. The results of these test hacks will demonstrate whether or not existing security protocols are up to scratch, as well as offering insight into where improvements can be made.

  • HIPAA Compliance

If your prospective client works with Protected Health Information (PHI) — for example, if they are a healthcare service provider or if they work with healthcare payers — they will need to ensure that all systems and operations are HIPAA compliant. This means following all regulations and guidelines laid down in the Health Insurance Portability and Accountability Act of 1996.

  • SOC 2 Attestation

SOC stands for System and Organization Controls, while the ‘2’ signifies that these controls relate to the digital and technology spheres. An independent auditor needs to assess SOC 2 compliance in order to provide attestation that everything is up to code. Many technology firms will require SOC 2 compliance on all work they commission.

  • PCI Compliance

Anyone accepting credit card transactions needs to be PCI compliant. This means adhering to six major requirements:building and maintaining secure networks and systems, working to protect cardholder data, operating a Vulnerability Management Program, putting strong access control measures in place, carrying out monitoring and testing on networks on a regular basis, and drafting and implementing an information security policy.

The specifics of these requirements are subject to change, and companies are advised to stay abreast of any changes on the PCI Security Standards website.

  • CMMC Framework Adherence

Adherence to the cyber security Maturity Model Certification (CMMC) framework is something that all Department of Defense contractors need to be aware of. Clients who wish to work on DoD contracts will need to ensure that all of their digital infrastructure is compliant with this framework and certified as such to the appropriate level.

There are five levels of certification, each of which can be granted by an approved CMMC Accreditation Body.

Understand new cyber security language in your third-party contracts

Don’t risk sending your customers elsewhere for a service you cannot provide. Reach out to our team and find out more about the evolving testing, accreditation and certification landscape.

Emory Vandiver

Emory Vandiver is the Vice President of Business Operations and a Partner at Interactive Security, where he is responsible for executing the company's strategy as a premier IT Security and Compliance provider. For over 20 years Emory has worked for leading enterprises across a diverse cross section of the information technology industry. His professional passion lies in understanding client business goals, challenging the status quo and leveraging technology-based solutions to maximize client performance. He strives to bring unique insight and value to his clients' businesses, along with a superior customer experience.