Aaron Finnis, chief strategy officer at Identity and Access Management (IAM) specialist Identifly, has echoed others in the cybersecurity industry by saying he sees organisations focussed on completing checklists while ignoring other important aspects of cyber risk.
Aaron Finnis, Identifly
He is one of various cybersecurity industry figures invited by iTnews’ sister publication techpartner.news, publisher of the MSP Index directory, to share their views about what organisations should focus on when assessing cybersecurity contracts.
Q: Are you seeing a need for many organisations in Australia to update how they assess cybersecurity contracts – if so, why, and what is one thing they should focus on now?
Aaron Finnis, Identifly: Yes, we are seeing more comprehensive review processes from customers. I feel they need to check and confirm the scope of services, and what data will be held or accessed. This will determine the extent of time and effort, and the number of key requirements for adhering to cyber controls.
Q: Are you currently seeing a common cybersecurity contract blind spot or red flag you think is being missed too often?
Aaron Finnis, Identifly: Yes. One common gap is in processes for adding and removing access to customer assets. Often vendors are onboarded with a lot of initial access, but there is often no review or ‘renewal’ of access.
Q: Are you seeing any significant tension between compliance requirements and what’s practical to include in cybersecurity contracts?
Aaron Finnis, Identifly: Compliance requirements are becoming more onerous, yet they often overlook core third-party risks, such as where vendors operate from and how they access assets.
“A lot of the focus is on completing detailed checklists, while the practical processes that truly reduce risk are sometimes ignored.” – Aaron Finnis, Identifly
Q: With CPS 230 and other regulatory pressure on third-party risk, are you seeing any knock-on effects for cybersecurity agreements?
Aaron Finnis, Identifly: Yes, we are seeing more ‘checklist’ style reviews that are point in time. I feel these may miss the mark long term; as organisations grow, their cyber posture will change, so regular, ongoing reviews are essential. That need is still a gap in many agreements.
Q: Do you see any unresolved issues when it comes to how cybersecurity contracts cover SaaS data protection – such as with Xero, HubSpot, Salesforce or other common tools?
Aaron Finnis, Identifly: Often these contracts are standard with little room to negotiate or make changes, making it difficult to include clauses that require timely reporting of incidents and enforce compliance with a particular framework.
Q: Incident response and recovery can make-or-break a cybersecurity partnership. What’s one contract clause organisations should insist on – particularly with ransomware reporting now in focus?
Aaron Finnis, Identifly: Reporting of incidents within 48 hours of discovery. It’s tough for customers to act if they aren’t made aware of a potential cyber incident that may impact customer data. This clause is a non-negotiable for me.
Q: Are cybersecurity contracts keeping pace with the reporting and assurance needs of boards and business leaders – or are they still too IT-focused?
Aaron Finnis, Identifly: I’d say no, contracts tend to be heavy on insurance and liability, but lighter on enforcing key controls, such as how partners access customer environments, conducting regular access reviews, and validating checklist controls. Ideally, they should go further by requiring independent assurance to verify that partner controls are effective.
Q: Are cyber insurance requirements reshaping what goes into contracts – and if so, what should clients be watching for?
Aaron Finnis, Identifly: Yes. We’re seeing a significant increase in customers requiring higher levels of cyber insurance coverage. Clients should also look closely at the scope of that coverage, the partner’s exclusions, and whether the insurer mandates compliance with specific frameworks or minimum controls.
Q: What’s a smart way for organisations to balance holding partners accountable while respecting their need to limit liability?
Aaron Finnis, Identifly: Set clear requirements and communicate them early to avoid surprises. I also recommend annual independent assurance, giving customers confidence that minimum controls are in place without relying solely on a partner’s word.
Q: For small businesses under real cost pressure, what’s the most effective way to structure cybersecurity partner contracts?
Aaron Finnis, Identifly: Keep it simple. Adding complexity to contracts and requirements often increases review effort without delivering real risk reduction. Instead, prioritise a few key controls such as clear reporting and independent assurance, and make sure those are embedded in partner contracts first.
Aaron Finnis is Chief Strategy Officer at Identifly, which specialises in Identity and Access Management (IAM) and provides end-to-end solutions including strategy, deployment and ongoing support via managed services. The company’s team of 25 specialists aim to help organisations save time, cut costs, strengthen cybersecurity and provide seamless user experiences.
See the directory of managed service providers (MSP) at techpartner.news.
Disclaimer: The views expressed in this Q&A are those of the individual contributors and do not necessarily reflect the views of iTnews or techpartner.news. The content is provided for general informational purposes only and does not constitute legal, financial or professional advice.
Source link
