IRRS Legality: How to Negotiate the Scope and Limitations of Incident Response Retainer Services to Protect Your Business

By: Aleke Francis AO

Cybersecurity incidents are inevitable in today’s digital world. Whether it is a ransomware attack, a data breach, or a nation-state sponsored intrusion, cyberattacks can cause significant damage to your business operations, reputation, and finances. To mitigate the impact of such incidents, you need to have a robust incident response plan and team in place. However, not every organization has the resources, expertise, or time to build and maintain an in-house incident response capability. This is where incident response retainer services come in handy.

What Is an Incident Response Retainer Service?
An incident response retainer service is a service agreement with a cybersecurity provider, which refers to a contract stating that if a business is targeted by a cyberattack, the provider will arrange the services necessary to react to it. Incident response retainer services are provided by data forensics and incident response (DFIR) specialists and service providers and vendors offering incident response tools, who also have in-house incident response teams.

The benefits of having an Incident Response Retainer Service
1. Faster and more effective response to cybersecurity incidents, as the provider has the expertise, tools, and experience to handle complex and sophisticated attacks.

2. Reduced costs and risks associated with cybersecurity incidents, as the provider can help contain the attack, restore critical systems, and prevent future incidents.

3. Improved security posture and resilience, as the provider can offer proactive services to assess your environment, identify vulnerabilities, and enhance your incident response program.

4. Peace of mind and confidence, as you know that you have a trusted partner who can support you before, during, and after a cybersecurity crisis.

How to Negotiate the Scope and Limitations of Incident Response Retainer Services?
Negotiating this service is quite dicey and requires critical understanding and corporation of both parties. However, not all Incident Response Retainer Services are created equal. Depending on the provider, the scope, limitations, and terms of the service may vary significantly. Therefore, it is important to negotiate the details of the service agreement carefully before signing it. The following are some key aspects to consider when negotiating an Incident Response Retainer Service:

1. The scope of services: What types of incidents are covered by the service? What are the deliverables and outcomes of the service? What are the roles and responsibilities of both parties? How will the communication and collaboration be conducted? How will the quality and satisfaction be measured?

2. The limitations of services: What types of incidents are excluded from the service? What are the assumptions and dependencies of the service? What are the constraints and challenges of the service? How will the escalation and resolution of issues be handled? How will the liability and indemnification be addressed?

3. The terms of services: How much does the service cost? How are the fees structured and billed? How many hours or days are included in the service? How can the hours or days be used or rolled over? How long is the duration of the service agreement? How can the service be renewed or terminated?

Sustainability of Incident Response Retainer Services by individual or Organization
To ensure the sustainability of the IRR services, an individual should do the following:

1. Choose a reputable and reliable IRR service provider that has the expertise, experience, and tools to handle various types of cybersecurity incidents.

2. Negotiate the scope, limitations, and terms of the IRR service agreement carefully, and make sure they align with the organization’s needs, expectations, and budget.

3. Review and update the IRR service agreement periodically, and communicate any changes or issues with the IRR service provider promptly.

4. Maintain a good working relationship with the IRR service provider, and provide feedback and suggestions to improve the quality and efficiency of the service.

5. Leverage the proactive services offered by the IRR

Steps to take by individual or organization in terms agreement breach by Incident Response Retainer Services
An agreement breach by the IRR Services is a serious matter that can have negative consequences for the individual or organization that hired them. Depending on the nature and extent of the breach, the individual or organization may have the following options:

1. Seek remediation from the IRR Services provider: The individual or organization may request the IRR Services provider to fix the problem, compensate for the damages, or provide additional services to prevent future incidents. The individual or organization should refer to the terms and conditions of the service agreement, which may specify the remedies and procedures for resolving disputes. For example, according to Accenture’s service description, if Accenture fails to meet certain service level agreements, it will credit the customer’s account with service credits.

2. Terminate the service agreement with the IRR Services provider: The individual or organization may decide to end the relationship with the IRR Services provider if the breach is severe or repeated, or if the remediation is unsatisfactory. The individual or organization should follow the termination clauses of the service agreement, which may require a notice period, a termination fee, or a mutual agreement. For example, according to RSA’s service description, either party may terminate the service agreement upon 30 days’ written notice to the other party.

3. Seek legal action against the IRR Services provider: The individual or organization may resort to legal action if the breach causes significant harm or loss, or if the other options are ineffective or unavailable. The individual or organization should consult a lawyer and gather evidence to support their claim. The legal action may involve arbitration, mediation, litigation, or other forms of dispute resolution. The individual or organization should also consider the jurisdiction and governing law of the service agreement, which may affect their rights and obligations. For example, according to Accenture’s service description, any dispute arising out of or relating to the service agreement shall be governed by the laws of New York and shall be resolved by binding arbitration in New York.

Some possible scenarios of how an IRR service provider of cybersecurity may breach the Nigerian SLA examples:

1. The IRR service provider of cybersecurity fails to secure the AWS S3 data buckets belonging to a state health agency in Nigeria, resulting in the exposure of personal and health information of thousands of people. The IRR service provider denies any data breach or exposure, despite being notified by Website Planet, a web security company. The data breach may violate the Nigeria Data Protection Regulation (NDPR), which requires data controllers and processors to implement appropriate technical and organizational measures to protect personal data and take necessary actions.

2. The IRR service provider of cybersecurity fails to detect or prevent a cyberattack on two major Nigerian banks, resulting in the compromise of financial details of their customers. The IRR service provider delays or avoids disclosing the incident to the public, regulators, or law enforcement agencies. The cyberattack may breach the Cybercrimes (Prohibition, Prevention, etc.) Act 2015, which mandates financial institutions to report any cyber incidents within seven days and to cooperate with the authorities in investigating and prosecuting cybercrimes. Needful actions will be initiated for deterrence.

3. The IRR service provider of cybersecurity fails to protect the emails belonging to the Lagos state government, resulting in the sale of these emails in the dark market. The IRR service provider does not inform or alert the government or the public about the incident. The email compromise may contravene the Freedom of Information Act 2011, which grants citizens the right to access public records and information held by public institutions, subject to certain exemptions and limitations. Accordingly, appropriate litigation will be instituted against the offender(s).

In conclusion, Incident Response Retainer Services are a valuable option for organizations that want to outsource their incident response capability to a trusted cybersecurity provider. However, not every Incident Response Retainer Service is suitable for every organization. Therefore, it is essential to negotiate the scope and limitations of the service agreement carefully before signing it. By doing so, you can ensure that you get the best value for your money and protect your business from cyber threats.

 

Aleke Francis AO is a Cybersecurity Expert, CyberThreat Intelligence Analyst, Researcher and an InfoTech blogger. Team Lead InfoTech News Hauz. He can be reached via: afraexkonsult@gmail.com, 08062062303