Azernews.Az

My previous article titled ‘Cyber-enabled fraud: an imminent threat to business in Azerbaijan’ illustrated how various institutions, such as banks, law enforcement, or legal instruments alone, are incapable of defending the business from the CEF. The paper also enlisted several recommendations for business stakeholders to protect their businesses. Below, I will shed light on the importance of commercial agreements and how they can help businesses prevent and cure the consequences of the CEF.

The importance of civil liability

As it became evident from the case of our client (the 'Client'), the originating, intermediary, and beneficiary banks were not able to prevent the intruder(s) from withdrawing the whole amount wired by the Client. And the law enforcements of both Azerbaijan and the UAE could not open a criminal case based on jurisdictional grounds. For this reason, civil liability must come forward, as businesses need a more sophisticated remedy to ensure the security of their hard-earned money. Contracts are one of the vital sources of civil liability and must envisage robust elements to defend businesses, including but not limited to the following:

Duty of due care

Vendors must be obliged to provide an adequate level of cybersecurity. Also called Security Clauses, duty of due care implicates the vendor’s obligation to maintain strong information security practices and policies that are in line with legal and industry-specific standards. Organisations are more and more keen on ensuring that vendors meet ISO 27000 series standards or the NIST Cybersecurity Framework. Businesses may also require their vendors conduct regular phishing simulations, maintain encrypted backup and recovery, train employees, etc. However, such practices should be adequate for the sensitivity of the data and the method of transfer.

Indemnity clause

As one of the most important risk transfer tools in any business agreement, indemnity clauses must be reflected within vendor agreements for breaches of confidentiality, privacy, and security incidents, specifically cybersecurity exposure. However, business organisations should avoid limitation-of-liability clauses or liability disclaimers, considering that the costs in responding to a cybersecurity incident can be astronomical. Indemnification clauses should be composed in a manner to match the coverage required in the separate insurance clause to ensure that there are no inconsistencies between what is indemnified and what is covered by insurance.

Cyber-risk insurance

Business organisations are recommended to require vendors to maintain adequate insurance to fund potential indemnification obligations. Considering that cyber-risk insurance is a relatively new product, pre-drafted insurance clauses will not be sufficient to meet industry-specific concerns. Businesses should make sure that a one-size-fits-all approach is avoided, and vendor’s insurance provides breach response coverage and business interruption coverage to mitigate damages from CEF. In any case, business organisations should seek the advice of internal or external counsel to compose an insurance clause that meets their demands.

Data breach notification

Vendor agreements should envisage an obligation for the vendor to alert the buyer within a specified period after the discovery of a data breach. Such alerts should be detailed enough to allow the buyer organisations to take the necessary actions to mitigate the damages. These notices might be crucial for businesses in order to warn their customers, regulators, or insurers within a limited timeframe. In our case, the Client is obliged to warn the Central Bank of Azerbaijan to prevent administrative penalties.

Data retention

A data retention provision must be well-established under the vendor agreements and should, at least, 1) reduce access to data on a need-to-know basis (also by quickly invalidating access during employee offboarding); 2) narrow the processing of data down to only what is required to fulfil the vendor’s obligations; 3) ensure the reversion or termination of records (as well as emails) at request (with an obligation to prove such destructions), etc.

Restriction of Sub-Processors

In some cases, vendor’s hire sub-processors to handle buyers’ data. Or they use the services of third parties, such as counting firms, etc., that have access to buyers’ confidential or proprietary information. Considering that vendors enter into agreements with such sub-contractors to which the business organisation is not a party, purchase agreements with vendors must oblige vendors to include, among other things, similar security and confidentiality clauses within their agreements with third parties.

Vendor’s obligation to hire a first-class bank with multi-factor authentication processes.

The beneficiary bank of our Client’s vendor in the UAE did not have a sufficient multi-factor authentication process, which in the end allowed intruder(s) to withdraw full amount wired by the Client. As not all jurisdictions require their banks to maintain multi-factor authentication process, business organizations within respective agreements should require their vendors to use the services of the banks that have such processes.

One cannot deny that the application of additional clauses such as those above into agreements for the sake of cybersecurity will end up with an additional burden. However, its importance cannot be underestimated, considering that the financial losses due to the unavailability of cybersecurity clauses can be astronomical.

About the author

Ruslan Bayramov is a Founding Partner at Legalize Law Firm. He is specialised in corporate law, eCommerce, and AML/CFT Compliance. Ruslan is advising clients on asset recovery as a result of cyber-enabled fraud. For further information about the author and Legalize Law Firm, please visit https://www.legalize.az/en

---

Follow us on Twitter @AzerNewsAz