Client Security Baseline Obligation.

Commitment overview

To maintain a secure and resilient IT environment, all clients are required to meet a defined set of baseline security requirements. These standards are essential for protecting both the Client’s and the Service Provider’s systems, data, and operations from cyber threats.

Implementation may take time. However, to the extent permitted by law, the Service Provider is not liable for any security incident, breach, data loss, or related service issue that could reasonably have been prevented by timely implementation or ongoing maintenance of the security controls below. Until the baseline is fully met, related remediation work falls outside the scope of standard service coverage.

Baseline requirements

These apply where the relevant security control is included in the selected services, or (if not included) are expected to be implemented via an equivalent solution internally or from a third-party provider, unless otherwise agreed in writing.

1. Regular operational reviews. Engage in scheduled meetings to: review reports and address security concerns; reconcile the list of staff and devices and identify discrepancies; address any excessive use as defined in the Master Terms of Service.
2. Multifactor authentication (MFA). Implement phish-resistant MFA or similar controls to secure access to all critical systems.
3. Application control. Implement our Application Control product, or similar from another provider, to manage and monitor application usage and prevent unauthorised applications from running.
4. Vulnerability management. Implement enhanced vulnerability management or equivalent, attempting to remediate known vulnerabilities within a 30-day period or better.
5. Cybersecurity awareness training. Participate via our Cybersecurity Training or equivalent.
6. Password management. Implement a password manager with single sign-on via our Password Manager or similar.
7. HR collaboration. Include the Service Provider in new-hire onboarding and termination processes.
8. Regular staff and device audits. Reconcile staff and device lists with the Service Provider on the agreed cadence.
9. Incident response planning. Develop and maintain a plan specifically addressing how to manage and mitigate cyber incidents.
10. Data backup. Ensure all critical business data is backed up via our services or similar.
11. Collaboration with software providers to implement and enforce MFA.

Liability, coverage exclusion, and remedy

Until the baseline is fully implemented:

• To the extent permitted by law, we are not liable for any incident that could reasonably have been prevented by adherence.
• Work related to such incidents is not covered by standard service entitlements and may incur additional charges.

If CCP detects that a mandatory baseline control has not been implemented or has been removed:

1. We notify the Client in writing, specifying the non-compliance and outlining the steps required. We offer reasonable assistance where the relevant control is included in the Client’s plan.
2. The Client has 30 days (the Remedy Period) from notice to address the non-compliance or agree a remediation plan. If still non-compliant after this period:
   • We may suspend or restrict only the affected service(s) where technically possible. No liability for incidents or losses during the non-compliant period.
   • If ongoing non-compliance creates a material risk to our systems or other clients, or partial suspension is not technically or commercially feasible, we may terminate the agreement with a further 30 days’ written notice.
   • We may extend the Remedy Period where the Client is actively working with us in good faith.

Acknowledgement

By engaging our services, the Client acknowledges and agrees to these baseline security requirements, recognising their role in upholding the security and integrity of the shared IT environment.