
Cybersecurity provisions are one of those areas where it is tempting to copy the language from the last deal and move on. That works until something goes wrong. Most contract lawyers know cybersecurity exists and dance around the edges of it, but never build the foundation that lets them draft from inside the architecture instead of from outside it.
How to Contract kicked off a new fundamentals series with a session hosted by Laura Frederick and featuring Bill, a three-time tech Chief Legal Officer and fractional General Counsel with a cyber recovery background, and Aparna Williams, Chief Legal Officer at Sophos, who spent over 25 years in the cybersecurity industry and started her career as a contracts negotiator. Their combined view from the legal seat at security companies made the conversation unusually practical.
The session covered what to learn from your own security team, how breaches actually happen, what SOC 2, ISO 27001, and NIST do and do not cover, why data classification ends up driving everything else in the contract, how to handle incident notification clocks and the known-versus-should-have-known line, and how to make audit rights useful rather than theoretical.
Here are our top ten takeaways from the speakers' comments during the webinar:
Spend time with your security team before you draft. Walk over to the CISO. Look at the information security plan and the network architecture. You do not need to master the technology. You need to see how the company has actually built its protections. The lawyers who skip this step end up drafting from outside the architecture, and that is where the gaps come from.
Treat the gap analysis between your security policy and the vendor's as the leverage point. The vendor will not adopt your security policy because the vendor cannot scale a business that does. That is fine. The work is identifying which of your requirements are non-negotiable, which can be met through certifications, and which need to be added to the contract as specific obligations. The gap analysis is where that gets sorted out.
Phishing and inadequate patching cause most breaches, so contract for both. Bill said over 90 percent of breaches he has seen come from those two sources. Phishing maps to internal training and culture, but inadequate patching is squarely a vendor risk. The contract should require the vendor to maintain a current certification and tie that to a representation, so a failure becomes a breach-of-contract claim instead of just an indemnification fight.
Make the vendor responsible for its sub-processors. Every vendor uses third parties. A contract that does not put the vendor on the hook for the sub-processor's compliance leaves a hole in the chain. Name the obligation specifically. Do not let it sit in a generic flow-down clause that nobody enforces.
Frameworks are outcomes, not technical requirements. SOC 2, ISO 27001, and NIST tell you the vendor has built a management system or audit program around a set of outcomes. They do not tell you the vendor has the specific technical controls you care about. Use the certification as a baseline and use the security questionnaire and the contract to fill in what the certification does not cover.
Tiered data classification is a contracting tool, not just an IT exercise. The lazy confidentiality definition treats all sensitive information the same way. Tiered classification forces both parties to agree on what gets the most protection, what gets less, and what controls apply at each level. It also limits what the vendor can access and what they have to do with the data once they are done with it.
Critical infrastructure and AI agents change the threat model. When the asset being protected is operational continuity or an autonomous process, the framing has to move beyond data privacy. Energy systems, healthcare equipment, and AI agents acting on the company's behalf all carry safety and continuity risk that traditional cybersecurity provisions do not capture cleanly. We tend to default to the data-protection framing because that is where most of our drafting precedent lives. The deals where lives or operations are on the line need a different lens, and the contract has to reflect that.
Start the notification clock at discovery, not at the first weird ping. A 24-hour notification obligation that starts from the moment something looks unusual is a recipe for noise and bad data. Tie the clock to discovery, define discovery in a way that reflects how the vendor's monitoring actually works, and require notification on belief rather than only on confirmation, so the customer is in the room when the call gets made about whether to escalate. Bill's preferred language is "discovers or reasonably suspects," with 48 hours from discovery as roughly the outer limit. That is the market standard worth holding onto.
Pre-engage privileged forensics vendors before you need them. When the world is on fire, you have no leverage on pricing and no time to onboard new vendors. Identify the forensics firms now. Have outside counsel retain them so the work product is privileged. This is one of the highest-value moves a legal team can make and it never gets into a vendor contract because it is your own preparation.
Audit rights have to do something specific or they are theater. Tie audits to your own certification cycle. Tie them to vendor certification events so you get the renewed reports. Require penetration testing findings where the vendor runs them anyway. The point is to make the audit produce information that feeds into a decision, not to give the customer a theoretical inspection right that nobody ever exercises.
Subscribe to Stay in the Loop
Our weekly newsletter covers the upcoming How to Contract webinars and recaps like this one. Subscribe now to keep these fundamentals on hand the next time you sit down with a security exhibit.








