To really understand the security posture of a vendor, the security assessment process must necessarily involve the exchange of potentially sensitive information. While transparency in your approach to customer trust and third-party risk management can have huge benefits for your business, it still makes sense to be prudent in the way you share information.
That’s why non-disclosure agreements (NDAs) can be such an important tool in your TPRM tool chest. The problem is that, for many companies, the risk assessment process is already time-consuming; an NDA can sometimes seem like another step to manage, slowing down the sales or procurement cycle even more.
But there’s a better way to safely and effectively utilize and manage NDAs as part of a robust TPRM program. Let’s take a look at why NDAs are important, some of the challenges they pose, and what you can do to better leverage them.
What is an NDA?
A non-disclosure agreement is a legally binding arrangement between two or more parties to ensure the confidential sharing of information. These documents are useful because they:
- Establish clear expectations for proceedings
- Keep sensitive or otherwise important information safe
- Create a legal framework for recourse in the event that terms of an NDA are violated
There are several different kinds of NDA:
- Unilateral (or “one-way”) NDAs are when only one party in the arrangement is receiving or viewing sensitive information. This is most commonly used between employees and employers, but there may be instances in which such an agreement makes sense during vendor assessment.
- Bilateral NDAs are established between two parties and are the most common variety used in TPRM.
- Multilateral NDAs are used when three or more parties are involved.
These basic varieties are a foundation, but your unique business needs might require more types of NDAs. Even when utilizing a standard, bilateral NDA, it may be necessary to draft several different versions of an NDA. For example, if you wanted to partition the kinds of information you share during a security assessment by role type, you may draft a different version for Legal, Procurement, or InfoSec.
Why are NDAs necessary?
Obviously, an NDA helps to protect sensitive information, but there are several other important business reasons that an NDA might be part of your TPRM strategy. Here are the most important.
When we surveyed more than 500 cybersecurity and risk leaders, 96% of respondents reported they were more likely to buy from a vendor that was transparent about security posture. That’s because transparency around security builds trust—which is the cornerstone of a strong partnership.
But transparency also makes it easier to take a risk-based approach to InfoSec. Full disclosure of security information can help software buyers:
- Understand the full scope of risks they are taking on
- Target their greatest areas of vulnerability during the assessment process
- Rank risks consistently across their third-party ecosystem
- Allocate InfoSec resources more effectively by monitoring and managing the right risks
- Set realistic timetables for necessary reassessment
Documentation of Due Diligence
Strong NDA policies and procedures help all parties involved track and record their due diligence efforts. This includes documenting the kinds of NDAs that are issued, who has signed one, how long they are binding and when a new agreement is necessary, and how NDA language evolves as businesses grow or change.
This is particularly important in the case of third-party risk. In the event of a costly security breach, strong NDA management may help to protect the parties involved from legal liability—or help to determine liability in the event the terms of an NDA are violated.
Faster Security Assessments
One of the biggest headaches in the third-party security assessment process is the seemingly endless back and forth between buyers and sellers. InfoSec leaders can sometimes feel as if all they do is hunt for documentation or respond to emails.
Many vendors are not always entirely forthcoming with security information. This is somewhat understandable, as there is a very real perception that if cyber attackers ever find out the details of your defenses, they’ll know exactly how to attack you. An NDA allows you to share more documentation while maintaining strong controls. When you get the NDA process right, InfoSec, Procurement, and Legal teams can get all the information they need faster—and without the back and forth.
What are the challenges of NDA Management?
Given their utility, it’s no surprise that many companies have NDAs ready for contract negotiations, employee onboarding, or vendor security assessments. As we’ve discussed, there are clear advantages to using NDAs in these ways.
Still, many businesses run into challenges when it comes to maintaining strong NDA management relating to third-party risk. These hiccups can actually lead to less transparency (creating a generic trust center rather than sharing detailed documentation); less visibility and control of the due diligence process (fewer documented agreements); and an even slower assessment process (haggling over who’s signed, which draft of the NDA is appropriate, ensuring the right parties have the right access).
Here are a few of the most common challenges when it comes to managing NDAs:
- Time consuming to draft and maintain—Many organizations find NDA maintenance cumbersome and skip the process altogether; this means they either share less security info during assessments (which can cost them deals) or they expose themselves to unnecessary risks.
- Tracking across multiple platforms—Third-party risk management can take place across multiple systems. You may have a GRC tool for TPRM or customer trust, Salesforce to track prospects and customer activity, and any number of email or messaging platforms for communication (you may also be doing all of this activity manually in spreadsheets, which causes its own challenges).
And that’s only one part of the NDA process. Many organizations manage contracts or agreements like NDAs with Docusign. This tool is fantastic for housing and tracking the NDAs themselves, but if it’s not integrated into other parts of your TPRM workflow, you may end up duplicating efforts across systems if you ever need to make changes, if NDAs expire, or you need to know at a glance the NDA status of a prospect.
- Collaborating with multiple stakeholders—Security assessments involve many teams or business units from both buyer and seller organizations: Sales, Procurement, InfoSec, IT, and Legal can all be intimately involved. Without a simple, centralized way to maintain shared visibility over the status or changes of an NDA, important information can be missed. This can slow down the process, but it can also expose you to cyber and legal risks.
Whistic+Docusign strengthens and simplifies NDA management
Whistic’s dual-sided TPRM platform now integrates seamlessly with Docusign, helping you to tackle these challenges and making NDA management easier than ever. By linking their Docusign account to their Whistic Security Profile, software vendors can easily:
- Manage NDAs once, not multiple times—Changes made to NDA language in Docusign now automatically transfer to your Whistic Profile. This eliminates the tedious step of transferring changes between platforms manually. The automation is simpler, and it also cuts down on the possibility of costly human error.
- Monitor and communicate NDA status across platforms and stakeholders—This integration also makes it possible to track NDA status for individual users in other platforms, like Salesforce. That way, you can see which contacts have signed and when their NDA expires. You no longer have to run separate reports to reconcile this information on different platforms.
It also makes sure that contacts who have an active NDA are not prompted to sign another one when they access your security documentation, so there’s less back and forth.
- Fully integrated NDA and TPRM workflows—Rather than work in silos, every business unit involved can keep their workflows aligned. Best yet, necessary steps and processes can be initiated through Whistic as part of the questionnaire request/response process.
For example, if your legal team requires approval each time a new NDA is used or renewed, this check can be initiated when the vendor assessment starts. This also helps keep InfoSec closer to the process and grants them greater visibility, increasing their effectiveness and strengthening your security posture.
- Increased transparency and faster TPRM—Because NDAs are easier to manage, update, renew, or augment, it’s safer and faster than ever to share important security documentation with prospects and customers. That transparency builds trust, helps deals close more quickly, and helps software buyers more effectively manage risk.
Are you interested in improving NDA management while also automating and accelerating your customer trust or TPRM program? Whistic can help. Our dual-sided, AI-driven platform takes the time necessary to request and respond to security assessments from weeks or months to minutes. We’ll even get you started with a free Whistic Profile today.