Do contracts specify a breach notification SLA short enough to meet your own regulatory obligations?
Demonstrate that all third-party contracts containing breach notification clauses specify time-bound notification requirements that provide sufficient lead time to meet the organization's own regulatory and contractual breach reporting obligations.
Description
What this control does
This control ensures that third-party contracts include explicit breach notification service level agreements (SLAs) that allow the organization to meet its own regulatory reporting obligations. For example, if GDPR requires 72-hour breach notification to supervisory authorities, vendor contracts must specify notification within 24-48 hours to allow internal assessment and reporting. The control addresses the time gap between when a vendor discovers a breach and when the organization is informed, which directly impacts compliance deadlines. Without contractual SLAs, organizations may receive breach notifications too late to fulfill legal or contractual duties to regulators, customers, or partners.
Control objective
What auditing this proves
Demonstrate that all third-party contracts containing breach notification clauses specify time-bound notification requirements that provide sufficient lead time to meet the organization's own regulatory and contractual breach reporting obligations.
Associated risks
Risks this control addresses
- Organization fails to notify regulators within required timeframes (e.g., GDPR 72-hour rule) due to delayed vendor notification, resulting in regulatory penalties
- Vendor delays breach disclosure for weeks or months, allowing attackers to exploit compromised data or credentials across the organization's environment
- Organization cannot meet contractual breach notification obligations to its own customers, leading to contract breaches, litigation, or customer churn
- Delayed notification prevents timely incident response actions such as credential rotation, network segmentation, or forensic preservation
- Board and executive leadership receive breach information too late to fulfill fiduciary and governance responsibilities, creating legal exposure
- Insurance claims are denied or reduced due to failure to meet policy notification requirements triggered by late vendor disclosure
- Reputational damage is amplified when media or affected parties learn of breaches before the organization can control communications
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's documented regulatory and contractual breach notification obligations, including specific timeframes (e.g., GDPR 72 hours, state breach laws, customer SLAs)
- Calculate the maximum acceptable vendor notification timeframe by subtracting internal assessment and reporting time from regulatory deadlines (e.g., if 72 hours required and 24 hours needed internally, vendor SLA must be ≤48 hours)
- Request copies of all active third-party contracts involving processing, storage, or access to sensitive data, personal information, or systems within scope
- Review each contract's breach notification clause and extract the specific notification timeframe (e.g., 'within 24 hours of discovery', 'without unreasonable delay', or no specified timeframe)
- Compare each contractual notification SLA against the calculated maximum acceptable timeframe to identify gaps or non-compliant contracts
- Identify contracts with ambiguous language ('promptly', 'as soon as practicable') and assess whether these meet the objective standard required
- Interview procurement, legal, and vendor management personnel to confirm whether breach notification SLA requirements are included in vendor onboarding and contract negotiation processes
- Sample recent vendor contract amendments or renewals to verify that breach notification SLA requirements have been incorporated into updated agreements