Investigative Intelligence

As such, a greater peace of mind is achieved not only through contractual protections, but also through direct and continuous engagement with the third-party service providers prior to and after contract execution specifically on this important issue. Some suggested pre- and post-contract due diligence measures to further mitigate the risk of loss of IP and trade secrets shared with a third-party service provider are as follows:
Pre-contract and Post-contract Due Diligence Measures
1. Pre-contract:

• Classify IP/trade secrets/sensitive information assets by criticality, based on potential loss impact (financial and reputational);
• Develop a set of requirements for protection of aforementioned assets in all formats (verbal, physical and digital);
• Develop a meaningful process for sharing only what is needed with each third-party and understand whether their controls match yours;
• Perform a litigation history search against each third-party to identify any issues relating to their governance and compliance controls;
• Speak with the third-party’s current clients to better understand their strengths and weaknesses related to protection of clients’ IP/trade secrets/sensitive information;
• Develop open-source intelligence (press, social media etc.) about the third-party’s reputation;
• Conduct site visits to validate their ability to comply with your protection requirements;
• Negotiate broad rights to audit with and without notification using a multi-disciplinary team from your side (internal audit, cyber security, operational security, risk management, business unit relationship owner, legal, compliance);
• Evaluate their incident reporting process to validate its uniformity, efficiency and effectiveness as it relates to your organisation’s need to know; and,
• Develop an exit plan should the outsourcing engagement fall short of your expectations.

2. Post-contract:

• Exercise your right to audit both remotely and through site visits by using your multi-disciplinary team;
• Offer frequent (at least quarterly) training on protection controls via different methods (lectures, webinars, posters, management meetings etc.);
• Reward and make examples of compliance and enforce administrative sanctions for non-compliance;
• Engage in incident management at a senior level, depending on asset criticality and the level of negative effect; and,
• Perform root-cause analysis for identified vulnerabilities and work together with the third-party to mitigate them.

Being more proactive pre- and post-contract about protection of IP, trade secrets, and sensitive information is less about investing money than it is about investing the time to focus on what is important to your organisation and how you can take a multi-pronged approach to managing this risk vis-à-vis your third-party service providers. Actively engaging with your third-party service providers prior to and throughout your relationship, and utilising a multi-disciplinary team to apply oversight, common sense and root-cause analysis is time well invested.