Supply chain attacks and IT contracts
Supply chain attacks such as the one that forced Coop Sweden to shut down over 400 stores due to ransomware, have increased in number and in sophistication in 2020 and 2021. A supply chain attack is a combination of at least two cybersecurity attacks where the first attack is on a supplier that is then used to attack the ultimate target. The Coop incident was caused by an attack that originally targeted an IT management software vendor used by Coop’s paying system service provider.
How to ensure risks presented by supply chain attacks are covered in IT service contracts?
Since prevention and mitigation of cybersecurity incidents necessitate actions particular to cybersecurity, you should not rely on clauses specific to other situations. For example, Data Processing Agreements (DPAs) regularly have clauses covering data breach situations, but a personal data breach is a very particular concept, and only one potential consequence of a cyberattack. Not all cyberattacks present a risk to data subjects’ rights and freedoms, and for many businesses, personal data is not the only crucial asset.
Check that cybersecurity is covered in your IT-contracts. Cybersecurity clauses should cover at least the following:
Definition of a cybersecurity incident. It may be a good idea to also define what cybersecurity means in the context of a particular contract as it is not a term with a universally understood meaning
Duty to implement effective cybersecurity measures and systems to both prevent and mitigate cyber incidents. Where relevant, the other party should be able to verify that the measures have been effectively implemented.
Duty to inform the other party of suspected or detected cyber incidents, and to disclose necessary information on the incident to the other party to enable effective protection of assets.
Define who is responsible for carrying out mitigation measures in case of an attack/incident.
Liability for damages. An important issue to remember is to define who covers the costs of forensics and incident response work in case of a serious incident
Information is paramount
One of the most important aspects of incident response management is to ensure that you are and that you stay informed of what is going on. Regardless of your organization’s place in the supply chain, you are dependent on your partners for receiving up-to-date information, and at the same time your partners rely on you to provide up-to-date information to them. It is important to ensure that the duty to keep your partner informed reflects the realities of the situation, and that confidentiality clauses do not prevent disclosing necessary information of cyber incidents and their prevention and mitigation further along the supply chain.
Read more on supply chain attacks: ENISA Threat Landscape for Supply Chain Attacks (published July 29, 2021) https://www.enisa.europa.eu/publications/threat-landscape-for-supply-chain-attacks