Contracts are one of the most valuable assets for a company.
As data becomes more and more digitised, and especially since the beginning of the health crisis, security becomes a more important issue every day.
This is why, before choosing a Contract Management solution, it is essential to ensure several things. Firstly, that the company developing the solution is well aware of the issues and risks related to security and, above all, is able to ensure the security of your contractual data.
In this article, we give you the 15 questions you should definitely ask.
15 questions to ask your contract management solution to ensure the security of your contract data
1) Why should I care about the security of my contracts?
This makes sense, but a good CLM partner should be able to answer your questions.
To put it simply: your contracts contain information about your commitments and those of your counterparts. This includes: the names of the parties, the obligations of each, prices, future deadlines, penalties for delay, etc. This is crucial data for your business, which you need to protect. For your contracts, you therefore need a real safe.
As our CEO Alexandre Grux says: "Contracts are one of a company's most valuable assets, which is why since its inception, Hyperlex has placed security at the heart of its DNA."
2) What are the biggest cyber security threats today?
In the age of SaaS software, companies are increasingly affected by cyber-attacks. Here are the top 3 most common attacks.
- Ransomware
Ransomware is the digital version of street racketeering. The principle: company data is taken hostage by a hacker and a ransom is demanded in return. To do this, a malicious computer program is hidden in the attachment of an email, and infects the device where it is opened.
According to Sophos, the price of recovering data reached an average of €130,000 in 2020.
- Spearphishing
These are emails that impersonate a private company or an administration.
- Always be wary of attachments that may be contaminated.
- Move your mouse without clicking over the links and pay attention to the quality of the spelling.
- If you have any doubts about the sender of a message, contact him/her through another channel.
- Hacking or data leakage
It can be internal or external, intentional or not. A data leak can be due to the infiltration of the computer network by a hacker... But it can also come from an employee of the company! More info here: what are the cyber risks?
👀 See: How to secure corporate legal data in the cloud?
3) Is your company certified? If yes, what is the scope?
The easiest way to find out if your contracts are really safe is to choose a partner that has been certified. Many companies only certify part of their business but advertise that they are certified anyway.
You should know that there is the ISO/IEC 27001:2013 standard, a pioneering international certification in the field of IT security, and its privacy extension, ISO 27701:2019. To obtain this certification, a company must, among other things, make a clear and precise inventory of what is done in the company in terms of security and agree on a plan in case of an attack.
Importantly, once ISO/IEC 27001:2013 certification is obtained, three audits are carried out over a three-year period. At the end of this period, the certification can be renewed (or not). It is therefore a long-term process.
4) What are your compliance obligations regarding sensitive data?
If the subject of security is a priority for you, it should also be a priority for the Contract Management solution team you adopt.
To give you a concrete example: as mentioned above, the ISO/IEC 27701:2019 certification - obtained by Hyperlex - testifies that our company has put in place the most optimal means to protect the data of our customers and partners.
A strict procedure is followed when working with a new subcontractor and a number of points are checked. For example:
- Is it itself ISO/IEC 27701:2019 or SOC 1-2-3 (Service Organization Control) certified?
- Does it comply with privacy guidelines? Does it store data in the European Union?
- What are its processes and methods for handling personal data?
5) Where will my contract data be hosted?
It is always better if the data is hosted in the European Union. Member States are subject to the GDPR, which regulates the processing of personal data and strengthens citizens' control over how their data is used.
6) How is my contract data protected?
Does the CLM with whom you are about to contract encrypt its customers' data? If so, in what way?
For example, at Hyperlex, all documents are encrypted, with a unique key per document, an outsourced KMS system and decryption on the client workstation to avoid decrypted transfers.
7) Is your company's infrastructure certified?
We are talking here about the certification of the infrastructure and not the company. It is not uncommon for legaltech infrastructures to be ISO/IEC 27001:2013, SSAE16 SOC1, SOC2, SOC3 certified.
At Hyperlex, the security and confidentiality of our clients' data does not stop at the security of our infrastructure. We tell you more on our security page.
👀 Also recommended: All about ISO/IEC 27001:2013
8) Are you RGPD compliant?
The GDPR is mandatory and directly applicable in all EU Member States.
9) Are your staff trained in information security and risk management?
Safety is a team issue. Every employee in every department of the company must be involved and trained.
At Hyperlex, for example, ISO/IEC 27001:2013 certification commits the entire team to knowing the information security policy, objectives, roles and responsibilities of each individual.
10) Are backups of my data made?
It is absolutely necessary that security backups of your data are made regularly.
Why? Because beyond the protection measures put in place, you need to be able to recover your data in the state it was in before it was corrupted or lost.
11) In the event of an attack, what measures have been put in place at the level of its infrastructure?
The infrastructure is like the skeleton of the information systems, consisting of servers, network, software, data. And this is where security begins.
Ask your partner about the measures they have put in place in terms of infrastructure. Here are some more specific examples.
👀 Read also: 7 good practices to control contractual risks
12) Is the architecture multi-tier?
This is an architecture in which an application is executed by several separate components, i.e. it is based on tiers that are independent of each other. Imagine compartments separated by fire doors that prevent the spread of a fire...
13) Do you have any anti-flooding measures in place?
They avoid the actions of sending a large amount of obsolete data in order to flood a network and make it unusable.
14) Is there an intrusion prevention system (IPS)?
This system analyses network traffic, detects cyber attacks and helps block them.
15) Which service providers does your CLM partner use?
The LMC of your choice should be able to provide you with a full list of the partners it works with.
Want to see our solution in action?
Safety is our hobby, and we write a lot about it:
- What is an ISMS?
- What is compliance?
- How can you protect your contract data in the cloud? Decryption.