Patching Up Your Information Security Review

Morgan Lewis
Contact

Morgan Lewis

In light of recent significant ransomware cyberattacks such as the one that originated in Ukraine and quickly spread to affect hundreds of thousands of computers in more than 150 countries, we wanted to provide a few pointers on shoring up your company’s contractual language to mitigate (or at least shift) the risks involved with these types of attacks.

  • The latest ransomware attack was designed around vulnerabilities in operating system software. In March, prior to the attack, these vulnerabilities were patched by the provider of the software. Thus, the victims of the ransomware were those that failed to properly install the fix. Ensuring that your vendors timely patch software affecting your organizations’ sensitive systems is vital. To that end, we suggest including express provisions requiring that patching important security fixes be performed, validated, and confirmed within a specific number of days from release.
  • Ransomware attacks that deny access to your company’s systems should be specifically included in disaster recovery and business continuity plans and obligations. Many of these plans and obligations are designed around natural disasters or workforce-related issues, but cybersecurity events are becoming much more of a risk.
  • Force majeure clauses can be a major escape mechanism for responsibility under agreements if such clauses include cyberattacks in the definition. Your company should take the position, at a minimum, that any cyberattack that occurs due to a breach of your company’s information security policies is specifically excluded from force majeure provisions.

With all the recent press on these issues, it’s a good time to take a fresh look at your information security policies to ensure that cyberattacks of this sort are given an appropriate measure of thought in your agreements.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morgan Lewis | Attorney Advertising

Written by:

Morgan Lewis
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Morgan Lewis on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide