{"id":187918,"date":"2026-02-16T07:52:00","date_gmt":"2026-02-16T12:52:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/02\/16\/cybersecurity-terms-in-third-party-contracts-are-you-being-served-or-served-up-opinion\/"},"modified":"2026-02-16T12:50:09","modified_gmt":"2026-02-16T17:50:09","slug":"cybersecurity-terms-in-third-party-contracts-are-you-being-served-or-served-up-opinion","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/02\/16\/cybersecurity-terms-in-third-party-contracts-are-you-being-served-or-served-up-opinion\/","title":{"rendered":"Cybersecurity terms in third-party contracts: Are you being served, or served up? | Opinion"},"content":{"rendered":"<p><a href=\"https:\/\/www.complianceweek.com\/opinion\/cybersecurity-terms-in-third-party-contracts-are-you-being-served-or-served-up\/36458.article\">Cybersecurity terms in third-party contracts: Are you being served, or served up? | Opinion<\/a><\/p>\n<p><a href=\"https:\/\/www.complianceweek.com\/opinion\/cybersecurity-terms-in-third-party-contracts-are-you-being-served-or-served-up\/36458.article\">https:\/\/www.complianceweek.com\/opinion\/cybersecurity-terms-in-third-party-contracts-are-you-being-served-or-served-up\/36458.article<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-02-16 07:52:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.complianceweek.com\">www.complianceweek.com<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points. \u00a0As enterprises increasingly outsource critical information technology and cybersecurity functions to managed service providers (MSPs) and managed security service providers (MSSPs), a troubling paradox has emerged. Organizations expect vendors to reduce risk, yet many unknowingly amplify their exposure\u2014through contractual blind spots that ignore technical failures. Many enterprises believe they are being served expertise, scalability, and security. In practice, they are often being served up.<br \/>\nRather than directly through threat actors, increasingly significant cybersecurity risks associated with MSPs and MSSPs occur from governance failures embedded in standard agreements. Failure to account for modern supply-web realities\u2014where third- and fourth-party vendors, cloud platforms, subcontractors create a cascading risk far beyond the contracting entity. For example, recent third- and fourth- party vendor-sourced compromises include those experienced by Change Healthcare, TIAA, and Cognizant.<\/p>\n<p>Across sectors, the message is consistent: You may outsource operations, but you cannot outsource responsibility.\u00a0<\/p>\n<p>About the Author<br \/>\n\u00a0<\/p>\n<p>Steven W. Teppler, CDPSE, is a partner and chair of the Cybersecurity and Data Privacy practice group at Mandelbaum Barrett PC in New York.\u00a0 He also serves as the firm\u2019s Chief Cybersecurity Legal Officer.<br \/>\n\u00a0From supply chains to supply webs<br \/>\nTraditional third-party risk management models assume exposure linearity: vendor \u2192 client. That assumption is no longer defensible.<br \/>\nModern MSPs and MSSPs operate within complex supply webs. A provider may rely on services provided by remote monitoring and management platforms, endpoint detection and response vendors, cloud hosting providers, identity and access management tools, offshore subcontractors, and open-source components. Each dependency adds an attack surface, yet most MSP and MSSP agreements are silent or opaque on third and fourth-party risk, treating third parties as invisible, out of scope, or \u201cproprietary.\u201d When an incident occurs, that silence becomes consequential.<br \/>\nWhen vendor risk materializes, at- or post- incident review of MSP and MSSP agreements expose recurring patterns that systematically disadvantage the client: Provider liability caps limited to fees paid over a short lookback period, and outright disclaimers, are routine, even when the provider retains exclusive or shared total operational control over systems, credentials, logs, and security tooling.<br \/>\nThe client, however, bears regulatory, litigation, and reputational exposure without corresponding authority. Such contracts allow providers to unilaterally control (and even prohibit independent) breach investigation, forensic scope, and communications. The primary obligation for investigation, notification, and regulatory reporting, however, remains with the client (aka the \u201cdata controller,\u201d or \u201ccovered entity,\u201d or \u201cdata owner\u201d). It is the uninformed client who faces severe legal and regulatory consequences.<br \/>\nDelayed or conditional breach notification.<br \/>\nNotification timelines tied to \u201cconfirmed breaches,\u201d \u201cmateriality,\u201d or provider discretion delay response and regulatory reporting. In a world where data exfiltration and ransomware are joined at the hip, these delays are indefensible.<br \/>\nVanishing logs and forensic discontinuity<br \/>\nMSP and MSSP agreements often fail to clarify cybersecurity event-data ownership, retention obligations, or client access rights. Where providers are replaced\u2014often after an incident\u2014critical forensic evidence required for regulatory or statutory compliance may disappear entirely\u2014leaving the client exposed to increased scrutiny and penalties.<br \/>\nRegulatory reality Has outpaced contract templates<br \/>\nRegulators are moving beyond the outsourcing equals risk transfer mindset. HIPAA-covered entities remain responsible for violations arising from business associates. Financial institutions are accountable under Gramm-Leach-Bliley Act (GLBA) and related supervisory guidance for vendor failures. Critical infrastructure operators face expanding obligations under sector-specific regimes. State privacy laws increasingly impose direct and indirect obligations tied to vendor conduct.<br \/>\nAcross sectors, the message is consistent: You may outsource operations, but you cannot outsource responsibility. Yet many MSP and MSSP agreements read as though they were drafted as if regulators do not require demonstrable vendor governance.<br \/>\nThe MSA as a governance instrument<br \/>\nManaged services are here to stay, but clients should include cybersecurity governance as an integral part of any master services agreement (\u201cMSA\u201d) \u2013 and realign risk with operational control reflecting supply-web complexity. Essential principles include:<\/p>\n<p>Operational control drives risk allocation.<\/p>\n<p>Indemnification and insurance obligations must follow where the provider controls credentials, tooling, monitoring, patching, or response actions. Liability caps should carve out breaches arising from provider negligence, security failures, or subcontractor misconduct.<\/p>\n<p>Mandatory, rapid breach notification.<\/p>\n<p>Notification obligations should be measured in hours, not days, and triggered by suspicion of unauthorized access\u2014not provider confirmation.<\/p>\n<p>Preservation of forensic independence.<\/p>\n<p>Clients must retain the right to engage independent forensic experts, access logs in native format, and preserve evidence without provider interference. Log ownership and retention obligations must survive termination.<\/p>\n<p>Fourth-party transparency and accountability.<\/p>\n<p>Providers should be required to disclose material subcontractors and tooling dependencies, impose equivalent security obligations downstream, and remain fully responsible for their failures.<\/p>\n<p>Transition cooperation as a legal obligation.<\/p>\n<p>Contracts must require providers to support secure transition\u2014during and after termination\u2014including credential transfer, documentation, and forensic continuity. Exit is a risk event, not an administrative footnote.<\/p>\n<p>Insurance as risk-sharing, not window dressing.<\/p>\n<p>Cyber insurance requirements should be specific, verifiable, and aligned with realistic loss scenarios\u2014not symbolic certificates buried in an exhibit.<br \/>\nSupply-web governance is now a board-level issue<br \/>\nThe implications extend to boards and executive leadership, who increasingly face scrutiny over vendor governance, cyber resilience, and incident preparedness. Vendor relationships sit at the intersection of operational dependency and fiduciary obligation.<br \/>\nA breach originating in a fourth-party tool used by an MSP will not be explained away by pointing to a contract. Regulators, plaintiffs\u2019 counsel, and insurers will ask a simpler question: Did you exercise reasonable governance over the entities entrusted with your systems and data? That question cannot be answered contractual terms alone.<br \/>\nConclusion<br \/>\nProviders reserve broad rights to delegate services to affiliates and subcontractors without meaningful disclosure, audit rights, or security equivalency requirements. The enterprise may never know when, or even who actually touched client-sensitive data. Opaque vendor provisions are industry standard &#8211; and they are incompatible with modern compliance expectations.<br \/>\nMSPs and MSSPs remain essential enterprise partners. The evolving risk landscape means that supply chains have become supply webs. Breaches propagate laterally, and contractual shortcuts now carry existential consequences. MSP and MSSP agreements should be viewed as enforceable governance frameworks and not procurement artifacts \u2014allocating responsibility, preserving authority, and anticipating failure before it occurs.<br \/><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Cybersecurity terms in third-party contracts: Are you being served, or served up? | Opinion https:\/\/www.complianceweek.com\/opinion\/cybersecurity-terms-in-third-party-contracts-are-you-being-served-or-served-up\/36458.article&#8230;<\/p>\n","protected":false},"author":1,"featured_media":187919,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/d6jxgaftxvagq.cloudfront.net\/Pictures\/1024x536\/1\/8\/9\/21189_SupplyChainEurope.png","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[30,24],"class_list":["post-187918","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-breach","tag-cybersecurity"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/187918"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=187918"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/187918\/revisions"}],"predecessor-version":[{"id":187920,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/187918\/revisions\/187920"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/187919"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=187918"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=187918"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=187918"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}