What strategies can I use to negotiate security terms in vendor contracts for vendors in high geopolitical risk countries?

Question

Please assume the following in responding:

1. Data being passed to vendor is subject to data protection laws in the USA such as GLBA

2. Data itself resides within the United States

3. Switching vendors will be difficult due to tight integration with preexisting company products

4. A mature cybersecurity program is in place at the outsourcing company and senior management has strong oversight. Active board of directors and active, independent internal audit function that oversees controls effectiveness

My employer is currently renewing vendor contract in which new language was added by vendor that grants them ability to provide remote technical support from several countries outside of the USA. We are purchasing COTS software from this vendor and this software is currently used in our companys production environment.

I have joined team that has responsibility for overseeing cyber security due diligence of company suppliers.

Several countries listed are considered to have high geopolitical risk mainly due to:

1. Mandated government monitoring of communications and legal prohibition on use of VPN technology

2. Excessive government influence over an impartial and independent judiciary combined with weak rule of law tradition. This is concerning if litigation were to arise in the future

Under the above assumptions, what are some strategies that would mitigate risk such as

• presence of backdoors in software to allow government interception of communications

• Legal inability of vendor to use VPN or cryptography to protect our data subject to data protection laws in the USA such as GLBA