Contracts as the all-powerful tool against the CEF
My previous article titled ‘Cyber-enabled fraud: an imminent threat to business in Azerbaijan’ illustrated how various institutions such as banks, law enforcement, or legal instruments alone are incapable of defending the business from the CEF. The paper also enlisted several recommendations for business stakeholders to protect their business. Below I will shed light on the importance of commercial agreements and how they can help the business to prevent and cure from the consequences of the CEF.
Importance of civil liability
As it became evident from the case of our client (the ‘Client’) the originating, intermediary and beneficiary banks were not able to prevent the intruder(s) from withdrawing the whole amount wired by the Client. And the law enforcements of both Azerbaijan and UAE could not open a criminal case based on the jurisdictional grounds. For this reason, civil liability must come forward as businesses need a more sophisticated remedy to ensure the security of their hard-earned money. Contracts are one of the vital sources of civil liability and must envisage robust elements to defend the businesses, including but not limited to the following:
- Duty of due care
Vendors must be obliged to provide the adequate level of cybersecurity. Also called Security Clauses, duty of due care implicates vendor’s obligation to maintain strong information security practices and policies that are in line with legal and industry-specific standards. Organizations are more and more keen on ensuring that vendors meet ISO 27000 series standards or NIST Cybersecurity Framework. Businesses may also require their vendors conduct regular phishing simulations, maintain encrypted backup and recovery, training employees, etc. However, such practices should be adequate to the sensitivity of data and the method of transfer.
- Indemnity clause
As one of the most important risk transfer tools in any business agreement, indemnity clauses must be reflected within vendor agreements for breaches of confidentiality, privacy, and security incidents, specifically the cybersecurity exposure. However, business organizations should avoid limitation-of-liability clauses or liability disclaimers, considering that the costs in responding to a cybersecurity incident can be astronomical. Indemnification clauses should be composed in a manner to match the coverage required in the separate insurance clause to ensure that there are no inconsistencies between what is indemnified and what is covered by insurance.
- Cyber-risk insurance
Business organizations are recommended to require vendors to maintain adequate insurance to fund potential indemnification obligations. Considering that cyber-risk insurance is a relatively new product, pre-drafted insurance clauses will not be sufficient to meet industry-specific concerns. Businesses should make sure that one-size-fits-all approach is avoided, and vendor’s insurance provide breach response coverage and business interruption coverage to mitigate damages from CEF. In any case, business organizations should seek advice of internal or external counsels to compose the insurance clause that meets its demands.
- Data breach notification
Vendor agreements should envisage an obligation for the vendor to alert the buyer within a specified period after discovery of a data breach. Such alerts should be detailed enough to allow the buyer organizations to take necessary actions to mitigate the damages. These notices might be crucial for the businesses in order to warn their customers, regulators, or insurers within a limited timeframe. In our case the Client is obliged to warn the Central Bank of Azerbaijan to prevent administrative penalty.
- Data retention
A data retention provision must be well-established under the vendor agreements, and should, at least, 1) reduce access to data on a need-to-know basis (also by quickly invalidating access during employee offboarding); 2) narrows processing of data down to only what is required to fulfill the vendor’s obligations; 3) ensure the reversion or termination of records (as well as emails) at request (with an obligation to prove such destructions), etc.
- Restriction of Sub-Processors
In some cases, vendor’s hire sub-processors to handle buyers’ data. Or they use services of third parties, such as, counting firms, etc. that have access to buyers’ confidential or proprietary information. Considering that vendors enter into agreements with such sub-contractors to which the business organization is not a party, purchase agreements with vendors must oblige vendors to include, among other things, similar security, and confidentiality clauses within their agreements with third parties.
- Vendor’s obligation to hire a first-class bank with multi-factor authentication processes.
The beneficiary bank of our Client’s vendor in UAE did not have a sufficient multi-factor authentication process, which in the end allowed intruder(s) to withdraw full amount wired by the Client. Forasmuch as not all jurisdictions require their banks to maintain multi-factor authentication process, business organizations within respective agreements should require their vendors to use services of the banks that have such a process.
One cannot deny that the application of additional clauses such as above into agreements for the sake of cybersecurity will end up with additional burden. However, its importance cannot be underestimated considering that the financial losses due to unavailability of cybersecurity clauses can be astronomical.
About the author
Ruslan Bayramov is a Founding Partner at Legalize Law Firm. He is specialized in corporate law, eCommerce, and AML/CFT Compliance. Ruslan is advising clients on asset recovery as a result of cyber-enabled fraud. For further info about the author and Legalize Law Firm please visit https://www.legalize.az/en