The Risk
When a third party has a security incident, most institutions find out late — after systems are already impacted or after a public disclosure. A strong notification clause helps, but only if it is specific and operational.
What to Require in the Contract
- Notification trigger: define what counts as an incident (not just confirmed breach).
- Time window: a clear requirement (ex: within 24 hours of discovery) rather than “without undue delay”.
- Who to contact: 24/7 hotline + named roles + escalation path.
- What they must share: affected services, timeline, containment actions, IOCs if available, and whether data exposure is suspected.
- Ongoing updates: cadence until closure (ex: daily then weekly) plus a final written summary.
What to Test (Once Per Year)
A simple way to validate the clause is to run a short tabletop with your top vendors:
- Ask how they would notify you after-hours.
- Confirm they can identify your institution as a customer in scope.
- Confirm who signs and sends the final written incident summary.
If they cannot answer quickly, the clause might exist on paper but not in practice.
Need Help Tightening Vendor Language?
If you want a simple, defensible incident notification clause you can use across contracts, reach out.