What sort of contractual mechanisms (e.g., right-to-audit, SLAs for breach notification) are most effective for reducing downstream risk?

We had a vendor release an update—specifically EDR—without notifying us, which ended up bricking some assets. As a result, we secured the right to approve all patch releases as part of our contract. While this wasn’t with CrowdStrike, it’s an example of how we were able to leverage an incident to gain more control over the system.

That’s definitely the minority of cases. Most of the time, damages are limited to the previous year’s fees or something similar, so the consequences for non-compliance aren’t significant. The punishment rarely matches the risk.

An SLA for breach notification doesn’t really help, because the breach has already happened and you still have to deal with the fallout. The right-to-audit clause gives you a bit more leverage, but it doesn’t guarantee that vendors will change their practices. The real question is how much a vendor will actually do differently because of what’s in the contract. Unless you’re in a position to require, “If you want our business, you must do these things,” and the vendor is willing to comply, it’s rare that contractual requirements lead to operational changes. It’s even rarer that the business is willing to wait for the vendor to implement those changes before moving forward.

I haven’t found any contractual mechanisms to be particularly effective. It’s a challenge, especially with vendors who have experienced breaches themselves. Generally, they do a good job of notifying us, and we cut off communications and data transfers until they can explain what happened and what they’ve done to remediate. However, with larger vendors—like a CrowdStrike, for example—they will report out publicly in their own way, regardless of what’s in our contract. Our influence is limited with these bigger players. The best outcome I’ve achieved is using a vendor issue as leverage during renegotiations, either to get something at no cost or to prevent a price increase.

We include many of these items in our contracts, but in reality, we rarely execute on them unless we’re having difficulties with a vendor. One approach we’re starting to require more often is for customers to have some form of security certification. Including this contractually actually forces organizations to implement security controls, as opposed to simply subscribing to a framework or something that doesn’t provide proof or third-party attestation. Depending on the vendor type, we look for these kinds of requirements more and more.

Regarding breach notification requirements, I’ve found that when a significant incident occurs, vendors rarely meet the contractual notification timelines. You can point out that they failed to notify you in time, but there’s little recourse. Ultimately, I believe certifications that require vendors to prove some level of attested security are more effective than breach notification clauses.