Since prevention and mitigation of cybersecurity incidents necessitate actions particular to cybersecurity, you should not rely on clauses specific to other situations. For example, Data Processing Agreements (DPAs) regularly have clauses covering data breach situations, but a personal data breach is a very particular concept, and only one potential consequence of a cyberattack. Not all cyberattacks present a risk to data subjects’ rights and freedoms, and for many businesses, personal data is not the only crucial asset.
Check that cybersecurity is covered in your IT-contracts. Cybersecurity clauses should cover at least the following:
Definition of a cybersecurity incident. It may be a good idea to also define what cybersecurity means in the context of a particular contract as it is not a term with a universally understood meaning
Duty to implement effective cybersecurity measures and systems to both prevent and mitigate cyber incidents. Where relevant, the other party should be able to verify that the measures have been effectively implemented.
Duty to inform the other party of suspected or detected cyber incidents, and to disclose necessary information on the incident to the other party to enable effective protection of assets.
Define who is responsible for carrying out mitigation measures in case of an attack/incident.
Liability for damages. An important issue to remember is to define who covers the costs of forensics and incident response work in case of a serious incident