Pointing Fingers and Losing Trust: Avoiding Third-Party Cybersecurity Risks with Vendor Contracts

Up to 60% of small businesses close within six months of a cyber attack. Up to 30% of data breaches involve the victim’s third-party suppliers and vendors. With statistics like that, smart businesses are asking how they can third-party cyber risk.

Preventing third-party cyber risk starts with the vendor agreement. While some companies don’t even consider cybersecurity when procuring suppliers, software, and other services, building cybersecurity into your contract stack can preserve your business’s revenue, goodwill, and ability to maintain affordable insurance. Read on to learn what companies should look for in their vendor contracts to avoid third-party cyber risk. 

Cybersecurity, Data Privacy, AI Tools, and Common Risks 

Data breaches are where cybersecurity and data privacy meet. What constitutes a data breach is defined differently state to state in the US, where there is no single comprehensive cybersecurity and data privacy law. Instead, federal laws addressing cybersecurity and data privacy are mostly sector or population specific, and each state has passed at least some cybersecurity and data privacy laws. 

Every state has some requirement that data subjects (the people whose personally identifiable information (“PII”) is possessed by an applicable entity) be notified if their PII is subject to a data breach. However, there is significant variance among states on what entities must provide notification, how many people’s data must be exposed before notification is required, how quickly notification must be given, how notification must be made, what the notice must contain, and the like. 

Generally, a data breach occurs when an unauthorized party (often called a “threat actor” or a “TA”) either accesses or acquires personally identifiable information. Jurisdictions abiding by one of these data breach definitions are sometimes called either “access” jurisdictions or "acquisition" jurisdictions. Most states have an encryption safe harbor, meaning that encrypted data that is accessed or acquired by a threat actor where there is no evidence that the encryption has been broken don’t need to provide notification.  

It’s important for companies to understand that often, the applicable cybersecurity and data privacy laws are those in place where the data subject is domiciled, not where the business is located. Accordingly, businesses that solicit clients from around the world or from several states may have to comply with multiple notification laws during the same data breach. 

Let’s consider how that reality affects costs. After a data breach, most companies must pay to remediate a compromised network environment while their business may be closed or inaccessible to customers due to threat actor harm. Forensic investigation is usually needed to confirm the breach, the cause, and the needed repairs. Notifications must be made, often in compliance with jurisdiction-specific laws requiring different content, methods, timelines, and additional support for data subjects, like call centers or credit monitoring. Regulators may investigate the breach, require reports, and/or levy fines. Accordingly, a single data breach can create significant financial harm. 

Third Party Cyber Risk 

Third-party vendors are one of the most common sources of cybersecurity and data privacy risk. These vendors often require access to a company’s systems, networks, or sensitive data but, especially without contractual obligation, may not follow the same security standards. Weak vendor security practices—such as poor access controls, outdated software, or lack of encryption—can create entry points for attackers, leading to data breaches or ransomware incidents. Additionally, vendors may mishandle PII, either through inadequate storage protections or improper data sharing, increasing the risk of regulatory violations and reputational damage. Supply chain attacks are another major concern, where attackers compromise a trusted vendor to infiltrate multiple organizations at once. Limited visibility into vendor operations, combined with insufficient due diligence and monitoring, makes it difficult for companies to detect vulnerabilities early, amplifying both the likelihood and impact of a breach.

Key Contractual Requirements for Avoiding Third-Party Cyber Risk 

When drafting contracts with third‑party vendors to reduce cybersecurity and data privacy risks, companies should prioritize including clear, specific, and enforceable provisions that go beyond general language about “reasonable security.” Here are four initial steps to take to reduce cyber risk when working with vendors:

Explicit Security and Data Protection Standards

Contracts should require vendors to implement defined cybersecurity controls (e.g., encryption, access control, patch management, multifactor authentication) and comply with recognized frameworks such as NIST or ISO standards rather than vague “reasonable” measures. This sets measurable expectations for protecting data and systems.

Incident Response and Breach Notification Obligations

Vendors must agree to timely notification of security incidents or data breaches, cooperate with investigations, and provide detailed reporting timelines and procedures. Clear definitions (e.g., what constitutes a breach and “timely” reporting) help avoid ambiguity in enforcement.

Audit, Monitoring, and Compliance Rights

Companies should retain rights to audit or assess vendor security practices periodically, require evidence of compliance (such as SOC 2 or ISO 27001 reports), and mandate corrective action plans if issues are identified. This ongoing oversight ensures vendors maintain security throughout the relationship.

Data Ownership, Return/Destruction, Liability and Indemnification

Contracts should clarify that the company retains ownership of its data, require secure return or destruction of data at contract end, and include indemnification clauses allocating liability (including fines and costs) to the vendor for breaches caused by their failure to meet contractual obligations. Cyber liability insurance requirements can also be included to ensure financial protection. 

A Practical Cybersecurity Checklist for Vendor Contracts

• How quickly after discovering a data breach must the vendor notify your company? 
• Are the vendor’s subcontractors held to the same security standards as the vendor? 
• Who is responsible for notifications if the vendor’s conduct, employees/contractors, or services result in a data breach? 
• Who is responsible for remediation costs if the vendor’s conduct, employees/contractors, or services expose your company’s environment to a threat actor? 
• If the vendor is responsible for notifications, remediation, or other costs, do they have sufficient cyber insurance to pay those costs? 
• Does the contract require maintenance of cyber insurance? Are you able to request proof of that insurance? 

Considerations for AI Deployment 

When a business integrates AI into its operations, its third-party cyber risk profile becomes significantly more complex. AI systems typically rely on a web of external dependencies that include cloud platforms, data providers, model vendors, and API services, each of which introduces its own security vulnerabilities and potential points of failure. Unlike traditional software, AI models can be manipulated through techniques such as adversarial inputs or data poisoning, meaning that a compromised third-party data pipeline can corrupt model behavior in ways that are difficult to detect. The opacity of many AI systems also makes it harder to audit third-party components for security weaknesses, reducing visibility into where sensitive data travels and how it is processed. Additionally, the scale and speed at which AI operates can amplify the downstream impact of a third-party breach, turning what might have been a contained incident into a widespread exposure. Businesses must therefore extend their vendor risk management frameworks to account not just for conventional cybersecurity standards, but for AI-specific risks such as model integrity, training data provenance, and the security practices of the entire AI supply chain.

To address the risks that AI introduces through third-party relationships, a business should begin by expanding its vendor inventory and classification process to explicitly identify which vendors are providing or interacting with AI systems, whether as model developers, data suppliers, or infrastructure hosts. Due diligence questionnaires and assessments should be updated to include AI-specific inquiries covering how vendors secure their training data, how models are tested for bias and adversarial vulnerabilities, and what controls exist around model updates and versioning. Contractual agreements with AI vendors should be strengthened to require transparency around model changes, data handling practices, and incident notification timelines, with provisions for audit rights where possible. Businesses should also consider establishing ongoing monitoring practices that go beyond point-in-time assessments, since AI systems can degrade or behave unpredictably over time in ways that create new exposures after initial onboarding. Internal stakeholders from legal, IT, compliance, and procurement should collaborate to build a shared framework that treats AI vendor risk as a distinct and evolving category rather than folding it into existing software or data vendor processes without modification. Finally, businesses should stay attentive to the broader AI supply chain, recognizing that a vendor's own third-party dependencies — the models or data sources they rely on — can introduce risks that flow indirectly into the business even without a direct relationship.

‍

Contact Rudick Law Group to learn more about our AI Governance practice led by Victoria Cvitanovic.

‍