Vague cybersecurity contracts a concern, warns Digital61 exec

Vague definitions of cybersecurity providers’ responsibilities are a recurring issue, warns Digital61 chief information and digital officer Sunny Bhatia.

Sunny Bhatia, Digital61

Bhatia was responding to an invitation from iTnews' sister publication, techpartner.news, to selected firms in its MSP Index directory to share their opinions about what organisations should prioritise when assessing or renewing cybersecurity services.

He is one of several respondents in this series to discuss blind spots and other issues they’ve observed in cybersecurity contracts.

Q. Are you seeing a need for many organisations in Australia to update how they assess cybersecurity contracts – if so, why, and what is one thing they should focus on now?

Sunny Bhatia, Digital61: Yes — cybersecurity threats, compliance requirements, and regulatory expectations are evolving too quickly for static, multi-year contracts to remain fit-for-purpose. Organisations should move beyond purely technical SLAs and build in contractual mechanisms for continuous improvement, such as quarterly security posture reviews and threat landscape updates. This ensures that both parties proactively adapt to new vulnerabilities, standards, and technologies, rather than waiting until a renewal cycle forces a change.

Q. Are you currently seeing a common cybersecurity contract blind spot or red flag you think is being missed too often?

Sunny Bhatia, Digital61: A recurring blind spot is vague or incomplete definitions of the provider’s security responsibilities versus the customer’s. Without clearly articulated shared responsibility models, critical gaps emerge — particularly in areas like incident response, patch management, and SaaS application protection. Contracts should spell out exact responsibilities for prevention, detection, reporting, and recovery to avoid confusion during an incident.

Q. Incident response and recovery can make-or-break a cybersecurity partnership. What’s one contract clause organisations should insist on – particularly with ransomware reporting now in focus?

Sunny Bhatia, Digital61: A clearly defined incident response time-to-action clause is essential. This should set binding timelines for acknowledgement, containment, investigation, and communication during a security event, including ransomware. Additionally, the clause should require post-incident reporting with actionable recommendations, enabling organisations to improve defences and meet new regulatory reporting obligations without delay.

Q. Are cybersecurity contracts keeping pace with the reporting and assurance needs of boards and business leaders – or are they still too IT-focused?

Sunny Bhatia, Digital61: Most contracts still focus heavily on technical KPIs and neglect executive-level reporting. Boards need concise, business-focused security assurance reporting that links cyber risks to business impact, regulatory obligations, and strategic decisions. Contracts should include requirements for regular executive briefings, risk dashboards, and alignment with recognised governance frameworks so security outcomes are meaningful at all levels.

Q. Are cyber insurance requirements reshaping what goes into contracts – and if so, what should clients be watching for?

Sunny Bhatia, Digital61: Yes — insurers are demanding higher security baselines, more frequent audits, and evidence of incident readiness. As a result, contracts increasingly include provisions for ongoing security attestations, MFA enforcement, and data backup verification. Clients should ensure that these requirements are realistic, measurable, and embedded in operational processes rather than treated as “tick-box” obligations that only surface at renewal.

Sunny Bhatia is chief information and digital officer at Digital61, an Australian-owned systems integrator and managed services provider specialising in secure cloud, cybersecurity, and modern workplace solutions for government and enterprise clients.

See the directory of managed service providers (MSP) at techpartner.news.

Disclaimer: The views expressed in this Q&A are those of the individual contributors and do not necessarily reflect the views of iTnews or techpartner.news. The content is provided for general informational purposes only and does not constitute legal, financial or professional advice. See the directory of managed service providers (MSP) at techpartner.news.