This blog was inspired by the meeting facilitated by Julie Gaiaschi, CEO & Co-Founder of TPRA, at TPRA’s November 2024 Practitioner Member Roundtable. (To watch the full presentation, TPRA Members can visit our Previous Meetings page and navigate to the November 2024 meeting recording noted on the On Demand tab.)
Being a TPRM practitioner means being vigilant and prepared for third party risks. A way to ensure that you are creating a strong risk management foundation is through strategic planning and careful oversight of contractual agreements.
With contracts, it is important to know that they do more than just set up relationship expectations. For TPRM practitioners, understanding their full purpose and how they can limit an organization’s impact on risk is essential for successful risk management.
In this blog, we will cover:
The Purpose of Contracts
Note Several Types of Contract Risks
Discuss How We Can Address Contract Risk
Provide Tips on the Right to Review vs. Right to Audit Clause
The Purpose of Contracts
Contracts not only establish and document relationship expectations but also help ensure proper risk management. Here’s how:
Contracts allow TPRM practitioners to obtain necessary evidence items to complete their assessments. A best practice is to include a clause that notes the third party will respond to questionnaires from time to time, as well as provide evidence items in relation to this agreement upon request.
Contracts can ensure that due diligence findings are addressed in a timely manner. For example, if high-risk findings are discovered during the pre-contract phase, then it is best practice to have clauses noted in the contract in relation to the remediation of said high-risk findings.
Contracts can establish non-compliance triggers in the event a third party fails to meet its obligations under the agreement. Many contracts only have a clause to terminate the relationship if it fails to meet your organization’s expectations, which is not always feasible or desired by the organization. Instead, have a step-by-step course of action noted within the agreement in the event the third party fails to meet obligations. This will help ensure progress is made and provide more teeth to the contract than just terminating the third party. Non-compliance triggers may include, but not be limited to:
Withholding payment of the next invoice should the third party not provide your organization with necessary documentation within a defined period of time and in order to perform TPRM reviews.
Performing an onsite visit if the third party is not making cadence on the remediation of confirmed findings.
The third party assisting with the transition of your organization’s data from the third party’s data center to another data center of your organization’s choosing should the onsite visit result in additional confirmed findings, as well as limited remediation of current findings.
Contracts reflect an organization’s risk tolerance. For example, you can establish parameters on specific expectations such as the time it should take your third party to patch a critical/high/medium-risk vulnerability. You can also set key performance indicators related to specific activities, such as responding to inquiries.
Contracts can allow for a smooth transition away from a third party by ensuring that verbiage around termination timelines and expectations is included. In addition, the contract can be used to keep track of what logical and physical access is provided to the third party to ensure that it is terminated promptly.
What Is Contract Risk?
Contract risk is the possibility of a risk arising when a contract is created. There are different types of risks to be aware of that should be discussed during the pre-contract phase, including but not limited to:
Not including specific control expectations within the agreement, or a separate addendum, that will ensure your data is appropriately safeguarded and your organization’s strategic objectives are met. For example, if you are working with a critical- or high-inherent risk third party, make sure that you call out at least your top 10, 15, or 20 information security controls that you expect them to have in place before you send them any data.
Not including/reviewing sufficient contract terms. It is important to make sure that you are at least reviewing what the third party is redlining or approving in your contract. In addition, compare it to what you are reviewing from an assessment perspective.
Not including safeguards within the contract should a third party risk be realized. This would include things like incident response, breach notification, or non-compliance triggers.
Not reviewing contract templates on a regular basis to incorporate emerging risks related to performance risk, termination and transition risk, intellectual risk, artificial intelligence risk, cost escalation risk, insurance risk, and so on. With this, it is important to understand where potential risks can arise and have a discussion on these topics to minimize the extent of each risk.
Addressing Contract Risk
Now that we have discussed the different ways contract risk can arise, here are a few ways to address said risk.
Contract risk can be addressed by working closely with Legal and Procurement teams to ensure contracts align closely with your organization’s risk management strategy, including its risk appetite.
Have templates for cybersecurity requirements drafted to ensure they provide sufficient coverage of key controls. This should not be an exhaustive list of controls, but your top 10 to 20 controls need to be in place in order for you to send data to the third party. Furthermore, templates should detail appropriate remedies (non-compliance triggers) if and when the third party fails to meet its obligations under the agreement.
Include expectations for participating in risk assessment activities (i.e., responding to questionnaires and providing evidence items upon request).
TPRM practitioners should have a seat at the table when reviewing redlines within specific clauses related to cybersecurity terms, as well as terms that would allow a practitioner to perform their duties (such as a “Right to Audit or Review” and/or “Termination” clauses).
Practitioners should ensure any high-risk findings noted during the pre-contract due diligence phase are noted within contractual terms. Practitioners should work closely with legal counsel to ensure that the contractual language is clear, specific, and enforceable.
Tips on the Right to Review vs. Right to Audit Clause
Typically, the “Right to Audit” clause allows an organization to “audit” the third party once per year. Historically, this clause was specific to Internal Audit. Over time, TPRM programs have adopted this clause to perform their annual due diligence assessments. However, the clause does not provide flexibility or allow for the depth needed to perform continuous monitoring of the third party.
A tip for ensuring your organization can review the third party on a regular cadence (more than once per year) is to include a "Right to Review" clause within the cybersecurity addendum and in addition to the "Right to Audit" clause usually noted within the Master Services Agreement (MSA).
A "Right to Review" clause may include language such as "The third party may be required to complete due diligence questionnaires and/or surveys from time to time and shall respond to such questionnaires and surveys no later than the due date, as defined within this agreement. Upon request, the third party shall provide evidence to support responses to such questionnaires and surveys. Failure to do so may enact escalation procedures and/or non-compliance triggers noted within this agreement.”
When compared to the “Right to Audit” clause, the “Right to Review” clause is specific to ensuring that your security addendum is being executed appropriately.
Conclusion
Incorporating comprehensive contractual safeguards is essential for TPRM practitioners aiming to mitigate third party risks effectively. By understanding contract risk, organizations can establish strong contract clauses that protect against potential liabilities and align with their organization’s risk tolerance.
Interesting.
a) Purpose Point2) - '.. if high-risk findings are discovered during the pre-contract phase, then it is best practice to have clauses noted in the contract in relation to the remediation of said high-risk findings....' - will you still go ahead to contract with a third party that has been assessed with high risks during pre-contract phase?
b) Purpose Point4) - you will first need to have access to the third party's risk register - contractually!
and, nothing on the third parties of the third parties?