All of your company’s most sensitive information — from new sales to employee salaries to confidentiality agreements — lives in your contracts. While most companies go to great lengths to restrict access to email inboxes and other internal resources, few companies have invested the same time and effort in securing their contracts. As a result, contract management security is a significant blindspot for companies of all sizes.
If you work with contracts, you’ve probably wondered how you can keep your contracts secure without slowing down your business or inadvertently blocking contract access to colleagues. Here, we walk you through the evolution of contract management security and provide a checklist of the steps you can take to keep your company protected.
In the process, we’ll answer the questions that keep legal teams up at night. What’s the difference between external and internal contract security risks? What contract management features give you visibility into contract access and workflow history? How can your company turn what may be a contract security liability into a compliance asset?
What is contract management security?
Contracts are the lifeblood of all companies. They ensure that employees get paid, that services are delivered on time, and that partnerships with other companies are durable. Contract management security is the set of systems and practices that ensure the information inside contracts can only be viewed by people who need it to perform their jobs.
The common assumption is that contract management security just means protecting your contracts from external threats like data breaches and malicious actors. In this context, keeping contracts safe is largely a technical issue. Your company may require virtual private network (VPN) access to access company files, for instance, or it may require that employees change their email passwords every few months.
But it isn’t enough to protect contracts from malicious actors. Most companies also need to pay attention to internal security risks like rogue contracting (i.e., executing contracts without going through the normal approval channels) and unauthorized contract access, whether in your cloud storage tool or your contract repository. Addressing internal security risks requires a combination of technical and operational vigilance. You can’t limit access to company contracts by role or flag improper contract access without having clearly defined responsibilities for every step of the contract lifecycle.
Contracts touch every part of a company, so it’s not surprising that contract security must be a company-wide effort.
How do well-intentioned legal teams end up with unacceptable contract administration risks?
Most companies think of securing contracts in terms of trade-offs. In their efforts to streamline business and legal processes, legal teams may adopt processes that inadvertently weaken contract security. (The opposite trade-off is also possible, but it’s less common because contract security tends to be an invisible cost, in the short-term.) Take contract template access, for example. Legal teams that manage contract templates manually tend to fall into one of two traps:
- Slowing the business down by restricting contract templates to Legal only. In this approach, which is the most restrictive, business users must email Legal, sometimes at an email alias like legal@, to request contract generation. Business users never get access to editable contract templates, and Legal sends counterparties contract PDFs for signature. This approach sacrifices speed for security, since all contract generation requires action by Legal. However, it ensures security pre- and post-execution because Legal manages all contract files.
- Exposing the company to risks by allowing business users to generate contract templates on their own and bring in Legal for approval or review before execution. Giving business users the ability to generate contract templates on their own may accelerate the pre-execution stages of a contract lifecycle, but only if business users generate the contract template without making any errors. In this approach, which emphasizes speed over full Legal control, Legal is brought in for approval and review once a contract is ready for signature. (That said, giving business users access to contract templates also enables these users to send contracts out for signature even if those contracts have not been reviewed by Legal.)
These same contract administration risks apply to other stages of the contract lifecycle, too (e.g., approval, execution, archival). Companies tend to adopt overly permissive or overly restrictive contracting policies because they lack the ability to put guardrails around the contracting process. Fortunately, new technologies allow teams to move from “all-or-nothing” access policies to policies automatically governed by requester role, contract type, and other key contract attributes.
What security features should be on your company’s CLM checklist?
The security of your contracts shouldn’t live separately from your company’s contract and legal operations. Instead, it should be baked into your company’s tools and standard operating procedures. By choosing the right technical solutions from the outset, you can ensure contract security without sacrificing your team’s efficiency.
Here are the technical and operational contract management security features to look for in your next CLM:
Technical Security Must-Haves
- Strong encryption. Encryption prevents unauthorized users from being able to view your contract data. Look for a contract management system that encrypts all data in transit (using TLS 1.2 or higher) and at rest (through AES-256).
- Cloud-based infrastructure. Cloud-hosted platforms give your company’s contract management administrators the ability to quickly make changes to security policies and monitor software usage across your company.
- Security certifications. At a minimum, look for companies with SOC 1 and SOC 2 certifications. These certifications focus on how organizations manage and maintain the confidentiality and integrity of sensitive information (e.g., customer data).
- Fine-grained user permissions. Look for solutions that allow you to set user permissions by role, department, contract types, and other criteria. For example, perhaps you want contracts administrators need to be able to see all sales contracts, but not any HR contracts. Ask vendors to demonstrate how these types of cases would be handled in their systems.
- Penetration and vulnerability testing. Audits and external tests can expose security risks that are likely to be exploited by malicious actors. Make sure that you choose a vendor that conducts penetration and vulnerability tests annually, if not quarterly.
Operational Security Must-Haves
- Easily configurable permissions. Software permissions determine which of your company’s users can conduct certain contract tasks (e.g., contract generation, approval, and signing). Your legal team manages many types of contracts. Some are high-volume, but carry relatively low risk, while others are low-volume, but high-risk. Look for a solution that centralizes all contract generation and expedites approval and signature for low-risk contract types.
- Built-in conditional approval routing. Your CFO may not need to approve low-value software purchases, but you may want to require her approval for contracts above a certain amount. But what if your CFO’s out of town? Will your contract software be able to reroute approval requests on an ad hoc basis? To prevent rogue contracting, look for tools that let you modify and deploy changes to contract approval conditions instantly.
- Native System for Cross-Domain Identity Management (SCIM) integration. SCIM is an open, widely used standard for managing authentication and authorization for users across organizations. Smaller companies may be able to manage permissions for individual users and groups, but larger companies (especially those that are distributed) will require digital contracting solutions that can use the SCIM standard to automatically provision user permissions. That way, things like employee onboarding and transfer between departments can automatically be reflected in contract management permissions in a CLM.
- Detailed contract audit logs that include contract-related communications and user actions. A key part of ensuring secure contracts is having visibility into contract behavior. If a contract is executed, for example, contract administrators should be able to quickly view a record of all communications, versions, and user actions related to that contract to ensure compliance with internal policies.
- Built-in integrations with cloud storage and eSignature providers. Your company likely has existing solutions for cloud file storage (e.g., Box, Dropbox) and eSignature that have been configured to respect your company’s security policies. Look for a contract management system that integrates with these tools so that you can speed up the implementation process and respect existing policies around document access and retention.
Security is a crucial consideration when you’re considering contract management solutions, but it’s also important to think about things like implementation, versatility, and integrations.
Ironclad is not a law firm, and this post does not constitute or contain legal advice. To evaluate the accuracy, sufficiency, or reliability of the ideas and guidance reflected here, or the applicability of these materials to your business, you should consult with a licensed attorney. Use of and access to any of the resources contained within Ironclad’s site do not create an attorney-client relationship between the user and Ironclad.
- What is contract management security?
- How do well-intentioned legal teams end up with unacceptable contract administration risks?
- What security features should be on your company’s CLM checklist?
Want more content like this? Sign up for our monthly newsletter.