contracts
play

contracts Our Cybersecurity Webinar Series To help you understand - PowerPoint PPT Presentation

Data Governance & Contract Management: How you can build security into your contracts Our Cybersecurity Webinar Series To help you understand the cyber risk in your legal vendor portfolio: Week 1 Week 2 Week 3 Week 4 July July July


  1. Data Governance & Contract Management: How you can build security into your contracts

  2. Our Cybersecurity Webinar Series To help you understand the cyber risk in your legal vendor portfolio: Week 1 Week 2 Week 3 Week 4 July July July July 8 22 15 29 PRIVILEGED DATA: CYBER SECURITY LEGAL VENDOR DATA GOVERNANCE BENCHMARKING: CYBER RISK & CONTRACT Understanding the PROGRAM: MANAGEMENT: cyber security What you need to challenges with your know now, how to How to deal with How you can build legal vendors avoid risk problems (and how to security into your avoid them in the first contracts place) Why What How

  3. Introductions Tyler Marion Derek Mihm Managing Director Senior Manager Duff & Phelps, Legal Management Duff & Phelps, Legal Consulting Management Consulting

  4. Our Work Contract Data Drafting & Contract Database Contract Review Migration Negotiation Automation Oversight Landscaping 4

  5. Today’s Webinar Overview In this webinar we will review: • How to structure risk mitigation in your contracts: recommended clause types • An overview of a typical, proactive data security risk mitigation workflow for contracting • Methods to retrospectively mitigate data security risk in existing relationships’ contracts

  6. STRUCTURING RISK MITIGATION IN CONTRACT LANGUAGE

  7. Precautionary Clauses Proactive Language to Ensure Security Measures Exist • Required Precautions – ‒ Level of Security Required ‒ Restrictions on Storage ‒ Access Limitations ‒ Update Requirements

  8. Incident Response Clauses Language to Ensure Breaches are Handled Appropriately • Breach Procedures ‒ Incident Response Plans ‒ Notification Requirements • Timing • Contents ‒ Indemnification/Reimbursement

  9. INCLUDING RISK MITIGATION LANGUAGE IN YOUR CONTRACTS

  10. Current Standard Infosec Model How do you choose the right terms for your engagement? Most standard information security procedures follow some form of the above process, with variations introduced based on the unique needs of the organization in question.

  11. Matching your Risk to your Language • Employ questionnaires to systematically identify risk QUALITY OF Low Medium High covering a variety of technical SECURITY and physical attack vectors SENSITIVITY • Develop a matrix with axes OF DATA based on the sensitivity of the Low Rider B Rider A Rider A data and the quality of the Medium security the vendor has in place Rider D Rider C Rider A High Rider F Rider E Rider C • Draft Security Addenda with the least restrictive language sufficient to address the various points on the matrix

  12. Pitfalls in Procurement Potential Solutions to Reduce Time-to-Execution • Information Security Reviews can be time consuming, but there are ways to expedite vendor onboarding: ‒ Provide the option for a vendor to voluntarily adopt the most stringent addenda ‒ Engage a third party risk assessment vendor to provide faster recommendations

  13. CONTRACT LANDSCAPING: How to Use AI to Mitigate Risk in Existing Relationships

  14. Controlling for Risk in Existing Contracts • Existing Agreements or Rogue Contractors • Acquired Contracts • Changes in Scope

  15. Artificial Intelligence and Contracts How to use Current-State AI as a Risk Identification Tool • What is the current state of commercially-available contract AI? ‒ Fuzzy Text Searching ‒ Pre-Trained Data Models ‒ Bespoke Training based on User Annotation

  16. AI “Reading” Contracts – How is it done? • Clause Extraction: Find the relevant language • Point Extraction: Examine the clause to extract discrete data points • Inferences: Use deductive reasoning and relationships between fields to intuit new data points

  17. Contract Landscaping Using AI-Generated Data to Identify Risky Relationships and Repair Them The goal is to eliminate firms from a “risk list” by finding data security terms in contracts with those firms. Once all mitigated vendors are eliminated from the list, those that remain can be repapered with the appropriate security rider.

  18. QUESTIONS / COMMENTS

  19. Thank You For more information please contact: Tyler Marion Derek Mihm Tyler.Marion@duffandphelps.com Derek.Mihm@duffandphelps.com M: +1 (206) 472-4934 M: +1 (651) 393-4060 A DUFF & PHELPS PRODUCT

Recommend


More recommend