On July 4, CSO quoted Paul Malie in “Cybersecurity in the Supply Chain: Strategies for Managing Fourth-Party Risks.” Paul commented on the use of contract clauses that require a company’s vendors and suppliers to impose equivalent cybersecurity obligations on fourth-party vendors that address issues such as data protection, breach notification, security development practices, and audits.

“To enforce security standards downstream, companies typically build in flow-down obligations — contract clauses that require third-party vendors to impose the same, or equivalent, security requirements on all their subcontractors,” Paul explained.

Paul added that strong cybersecurity contracts should include “audit rights to inspect fourth-party practices, subcontractor approval clauses, and indemnification provisions that hold vendors liable for breaches caused by their suppliers.”

Read the article on the CSO website here.