Key ongoing cyber security requirements, arrangements, terms and conditions should contractually require suppliers to continuously monitor their cyber security and cyber resilience arrangements or plans; improve these arrangements when necessary; and provide regular reports throughout the contract term.
Ongoing monitoring might include:
- Review of General cyber security controls to be adhered to
- Right to audit
- Pen tests
Ongoing improvement might include:
- Ability to invoke a break clause in the contract if the supplier security fails to improve and does not meet expected standards
Ongoing reporting might include:
- Disclosure of component vulnerabilities, cyber incidents or data thefts
- Disclosure of changes and improvements made security controls and resilience plans
What is the purpose of ongoing cyber security contractual requirements?
There are a number of reasons for ongoing cyber security requirements embedded in contracts including but not limited to: