4 Things Small Businesses Should Know During IT Acquisitions in Cyber Risk Management

August 7, 2017

Legaltech News

A digestible guide to help with actionable items implementable during an IT acquisition, as well help an IT vendor analyze the legal implications of its sales. 

Suppose your client, a mid-size health care provider, is about to install a new security system connected to the hospital’s network, or, a small-size IT vendor is about to provide an electricity distribution system to a utility. Given the latest news on data breaches and cyber attacks on critical infrastructure, the client is understandably concerned about the cyber risks associated with the upcoming IT sales agreement and the legal implications. How do you advise your client?

Already, there are many publications available to assist companies enhance cybersecurity during an IT acquisition. But the hectic speed of change compounds the challenge of digesting these numerous guidelines. Also, a lot of the publications are prepared from a buyer’s perspective, which may underserve an IT vendor already burdened by cybersecurity audit requests.

Against this backdrop, introduced below are four key concepts to help a buyer comprehend the various cybersecurity publications and transform them into actionable items implementable during an IT acquisition. The following can also help an IT vendor analyze the legal implications of its sales and determine contact terms to which it can concede.

1. Bill of Materials

Bill of materials relates to the ingredients of the IT product/service under consideration. Just as toxic ingredients in a product can cause hazards, components of an IT product/service with vulnerabilities can lead to security breaches. Based on the bill of materials, a buyer can discern at least the known vulnerabilities of the IT ingredients.

For instance, if the bill of materials discloses open source software (OSS), a buyer can work with its engineers to analyze if the disclosed OSS has any known vulnerabilities. The buyer should also note that if vulnerabilities were detected in the future, an IT vendor may not be able to address the vulnerabilities because OSS is developed by a group of open source developers, and it may be difficult to seek redress for damages caused by faulty OSS. By requesting the bill of materials, a buyer can better analyze the cyber risks associated with a given purchase and prepare for their implications.

Conversely, an IT vendor should keep track of any OSS or proprietary software it is adopting and assess the vulnerabilities of these materials. This practice will benefit the IT vendor when analyzing the cyber risks associated with its sales, determining the scope of its obligations to update its products, and negotiating the price and liability provisions in a sales agreement.

2. Penetration Test

A penetration test is a test to detect the unknown vulnerabilities of an IT product/service. An IT vendor often conducts a penetration test before releasing its new IT product/service. An institutional buyer of an IT product is also recommended to conduct such test to monitor the vulnerabilities of its IT infrastructure.

As the practice of conducting a penetration test gains traction, a buyer should discuss with its IT vendors the terms of a penetration test. These terms can include: who should be conducting the test; how long the test should be conducted, and how extensively; to what extent the parties are sharing the test results; who is responsible for addressing the vulnerabilities discovered during the test; etc.

Also, when a party chooses not to address a vulnerability detected during the test, the party may be found at fault if an incident were triggered because of the unaddressed vulnerability. Hence, both a buyer and IT vendor should consult with lawyers while discussing the terms of and conducting the test.

3. Recommended Use

In response to a buyer’s heightened cybersecurity demand, an IT vendor may provide a recommended use guideline. The guideline, sometimes found in purchase agreements under the “responsibilities of the client” section, can limit an IT vendor’s liability when a buyer’s use did not conform to the recommendations. For instance, the recommendations may request that an IT product be segregated from a public network, data or traffic be encrypted, data transfers be monitored to detect anomaly, etc.

A buyer should request such guidelines ahead of time to consult with its IT personnel and analyze whether the terms are practically achievable. A buyer can also assess the cost of adhering to such terms and incorporate it into a purchase agreement.

An IT vendor may, on the other hand, integrate such terms in its scope of work and collaborate with a buyer to enhance the cybersecurity of the IT product/service in-use. The collaboration also allows an IT vendor to better analyze a security threat particular to a buyer and negotiate the price and liability terms in its sales agreement.

4. Notice and Maintenance

Vulnerabilities can be discovered after an IT product/service is deployed. Hence, the duty to notify vulnerabilities detected post-deployment, and patches, should be discussed before signing a sales contract.

Even if a party may be interested in learning about the post-deployment vulnerabilities as soon as they are discovered, however, a failure to timely address the post-deployment vulnerabilities may lead to liability. Thus terms related to duty to notify should be drafted to hedge against such risks, and a party should seek legal advice before notifying the other about the newly discovered vulnerabilities.

Parties should also determine who is responsible for monitoring and patching an IT product/service post-deployment. As the division of responsibilities may impact a party’s liability, a party should consult not only its engineers but also lawyers while negotiating the terms related to monitoring and patching.

Also, as noted above regarding bill of materials, a buyer should analyze the cost of cyber risk associated with the use of OSS, which an IT vendor may not be able to monitor or patch, and factor it into the purchase agreement. An IT vendor, on the contrary, should analyze its ability to monitor or patch OSS used in its product/service and determine the scope of its obligations and liabilities it can concede to.

Any entity is likely a party to an IT sales contract nowadays. As the possibility of non-economic harm due to cybersecurity breaches increases, e.g., physical injury due to a compromised IT product/service, it is prudent that both parties to an IT contract conduct reasonable due diligence to enhance cybersecurity. The diligence will further assist a party analyze the cyber risks associated with a given IT sales and negotiate the price, warranty, and liability provisions in a purchase agreement to protect itself against such risks.

“4 Things Small Businesses Should Know During IT Acquisitions in Cyber Risk Management,” by Ji Young Park was published in Legaltech News on August 7, 2017. Please click here to read the article online.

Reprinted with permission from the August 7, 2017, edition of Legaltech News © 2017 ALM Media Properties, LLC. All rights reserved. Further duplication without permission is prohibited. For information, contact 877-257-3382, reprints@alm.com or visit www.almreprints.com.