Jan 16, 2026

※日本語版はこちら（For the Japanese version, please refer to here.）

This blog post outlines the risks that may arise from business interactions between vendors and clients - including security incidents (hereinafter referred to as “incidents”) and related issues - as well as key points to keep in mind to mitigate these risks.

Table of Contents

Introduction

Recently, as cyberattacks have become more intense and we frequently see news reports of security incidents, cybersecurity has become a topic of active discussion and is now viewed as a top priority to prevent such incidents. However, there are cases where incidents have occurred due to unclear prior agreements or ambiguous scope of responsibility in contracts, as well as examples where such ambiguity has led to disputes. Even in recent incident investigation reports that have garnered significant attention, it is stated that “failure to fully clarify the boundaries of responsibility between vendors, as well as between users and vendors, was a factor that exacerbated the incident” [1]. Consequently, it is considered ever more important to address business risks as part of incident response measures. In this article, we refer to risks in business interactions that could possibly lead to incidents or related problems as “incident business risks,” and we outline key strategies for mitigating them.

Incident-Related Business Risks and their Countermeasures

In this section, we introduce Incident-Related Business Risks and measures to mitigate them. This time, we cover two risks: “entering into contracts with ambiguous scope of responsibility” and “verbal agreements.”

If the scope of responsibility remains unclear when signing an operations and maintenance contract, there is a risk that neither the vendor nor the client will perform the necessary work, which could lead to an incident, as shown in Figure 1. The DX Report - Overcoming the “2025 Cliff” of IT Systems and the Full-Scale Rollout of DX - issued by the Ministry of Economy, Trade and Industry also states “When entering into contracts, the division of responsibilities and tasks between client companies and vendors is often unclear. As a result, this can lead to disputes such as lawsuits for damages, which in turn require even more time and money”[2], thus indicating the importance of clarifying the division of responsibilities. Therefore, it is important to clearly define the scope of work to be performed at the time of contracting. While operations and maintenance tasks are sometimes described using vague terms, at the contract stage, tasks should be specified in concrete terms—such as “patch application” or “collection and provision of vulnerability information”—to minimize any potential misunderstandings between the vendor and the client.
In addition, ensure that the scope of work for which responsibilities have been assigned is clearly reflected in the operation and maintenance design documents and procedures, for example, by coordinating with the organization responsible for operation and maintenance. Although fulfilling the scope of responsibility outlined in the contract seems like a matter of course, it is important to note that there have actually been incidents where work agreed upon in the contract was overlooked.

When agreements, such as clarifying the wording of a contract or defining the scope of responsibility for each party, are made solely through verbal promises between a vendor and a client, there is a risk it could later lead to disputes over what was or wasn’t said, as shown in Figure 2. In the Supply Chain Security Guide for Practitioners published by the IPA, under the section on contract execution, it states, “In practice, it is common that existing contracts will be used as-is or that the wording may become abstract. In such cases, to prevent problems from arising, confirm with the business partner what the content is intended to mean and document it in meeting minutes or similar records” [3]. This means that keeping a record of the details confirmed and agreed with your clients helps prevent trouble. Therefore, make sure to document any agreements reached during discussions. In particular, if an agreement is made during a brief conversation after a meeting, be sure to confirm the details of the agreement again later via email or chat.

Summary

We have introduced the risk of business disruptions caused by incidents (Incident-Related Business Risks) and key points for mitigating that risk. In addition to cybersecurity, it is also crucial to clarify scopes of responsibility and keep records of agreements to prevent incidents and disruptions. We hope this serves as an opportunity for you to increase your focus on their importance.

References

Read More at NEC Security Blog