Cyber security contract: what UK SMEs need to know

Your business isn’t a tech company, but you’re expected to act like one when customers hand over personal data or when suppliers connect to your systems. A sensible cyber security contract turns vague promises into clear responsibilities — who does what, how fast, and who pays if things go wrong. Get it right and you protect revenue, reputation and sleep; get it wrong and you might be buying a very expensive lesson in hindsight.

Why a cyber security contract matters for firms of 10–200 staff

Small and mid-sized businesses in the UK are often the soft underbelly in a supply chain. You can have robust processes on paper, but if a supplier’s weak controls touch your systems, you’ll still be in the firing line for GDPR fines, client loss and the time spent fixing the mess.

A contract is more than a paper shield. It’s the playbook that sets expectations for incident response, liability, evidence and recovery. For businesses with between 10 and 200 staff, which typically juggle limited IT resources and growing commercial exposure, a well-drafted agreement keeps costs predictable and makes sure the right people act quickly when alarms sound.

What a cyber security contract should cover

Think of the contract as a checklist of behaviours and outcomes. The most useful sections focus on business impact rather than technical minutiae:

  • Scope and responsibilities: Clear definitions of what systems, data and users are covered and who is responsible for what — supplier, subcontractor or you.
  • Service levels and response times: How fast the supplier must acknowledge an incident and what constitutes a major breach versus a minor one.
  • Incident reporting and forensics: Requirements for notifying you, preserving evidence, and what access you’ll have to reports and logs.
  • Data protection and compliance: How the supplier supports GDPR obligations and assists with Subject Access Requests or regulatory enquiries.
  • Liability and caps: Who bears the financial risk for losses, and whether liability caps are reasonable for your scale.
  • Insurance and indemnities: Minimum insurance levels and who indemnifies whom for third-party claims.
  • Audit and assurance: Rights to audit, review security posture and remedy shortcomings.
  • Exit and continuity: Access to data and handover support if the relationship ends, to avoid downtime and data loss.

Common pitfalls and how they hit your bottom line

Here are things I see regularly when reviewing contracts across the UK: vague incident clauses that delay response, blanket liability caps that leave you holding uninsured losses, and subcontractors tucked away in a schedule with no oversight. Each of these becomes a billable problem.

Example: a supplier promises “reasonable measures” against cyber threats. That’s not actionable. If ransomware hits and the response time isn’t defined, the business loses trading hours and potentially clients. The cost isn’t just the ransom — it’s lost sales, reputational damage, regulators knocking, and the internal time spent chasing explanations.

Practical negotiation tips for UK businesses

Negotiation doesn’t need to involve naval-gazing over technical specs. Keep it practical and outcome-focused:

  • Define outcomes, not tools: Specify how quickly systems must be back online, what acceptable data loss is, and what customers should be told.
  • Insist on clear SLAs for incidents: Acknowledge time, containment time, and full recovery time — and the credits or remedies if those aren’t met.
  • Allocate responsibility for third parties: Make the supplier responsible for their subcontractors’ security posture, with right-to-audit language.
  • Match liability to risk: If your data and reputation are on the line, unlimited or industry-standard caps that don’t reflect your exposure aren’t much help.
  • Agree minimum insurance: Confirm the supplier carries cyber insurance with defined limits and that you can request proof annually.
  • Test the response: Ask for evidence of drills, tabletop exercises or incident reports. A supplier who shies away is a red flag.
  • Keep review points: Security isn’t static. Build in periodic contract reviews and a change-control process for new integrations.

If you want to compare a potential supplier’s promises to a practical set of services, the vendor’s public materials can be revealing — check their natural anchor and see whether what’s offered matches the guarantees in the contract.

Clauses to read with a highlighter

When the legal team sends the draft back, these are the lines I underline:

  • Definitions: Make sure key terms (incident, personal data, downtime) are defined clearly.
  • Service Levels: Not vague promises — firm timings and remedies.
  • Incident Management: Notification windows, roles, data handling, and public statements.
  • Liability & Indemnity: Cap levels, carve-outs (e.g., wilful misconduct), and who covers regulatory fines.
  • Data Protection Assistance: Obligations to help with regulatory responses and Subject Access Requests.
  • Subcontracting: Approval rights, flow-down obligations and audit access.
  • Exit Assistance: Practical steps for data export, transfer and support during transition.

When to involve legal or a specialist

If the contract carries potential exposure that could materially affect cash flow or reputation, get counsel involved. You don’t need litigation-level lawyers for every review, but an experienced commercial lawyer or cyber adviser can translate exposure into sensible monetary limits and actions. In my experience, a short advisory call often saves days of internal debate and prevents expensive surprises.

Practical checklist before you sign

Before you stamp anything, make sure:

  1. The scope matches what you actually use, not what the supplier hopes you’ll adopt later.
  2. Incident SLAs are measurable and include remedies.
  3. Liabilities align with the value of the contract and your potential losses.
  4. There are audit rights and routine review points.
  5. The supplier commits to data return and transition support on termination.

FAQ

What is a cyber security contract?

It’s a commercial agreement that sets out the security-related obligations of a supplier and the buyer — who protects which data, how incidents are handled, and who pays for what if things go wrong. For a typical UK SME this means clarity on responsibilities, response times and cost exposure.

Should I accept a liability cap in a supplier contract?

Caps are common, but they should be sensible. If the cap leaves you facing significant uninsured losses from a breach, negotiate a higher cap, carve-outs, or ask for additional insurance. Match the cap to real commercial risk, not boilerplate language.

How quickly should a supplier report an incident?

Short answer: immediately, or within a contractual window such as 24 hours for major incidents. The contract should state notification timeframes and the information required so you can assess regulatory and customer obligations.

Can I require audits of my supplier?

Yes — ask for periodic security assessments or the right to review audit reports. For many SMEs, receiving assurance reports (e.g., third-party penetration test summaries) and a right to remediate issues is sufficient and less disruptive than full audits.

Is exit support really necessary?

Absolutely. Without clear data handover and transition support you risk extended downtime and data loss. Make sure the contract specifies timelines, formats and any assistance required to move services away.

Getting the contract right protects turnover, reputation and time. If you’d like practical help turning a supplier draft into a business-ready agreement, a short review focused on SLAs, liabilities and exit planning can save time and money — and give you the calm of knowing your business is covered.