Common use of Security Reporting Clause in Contracts

Security Reporting. Commencing no less than thirty (30) Days prior to the System Integration Date, and thereafter annually during the Term of this Agreement, Supplier shall deliver to Company evidence of Supplier’s information security safeguards, including but not limited to current ISO27001 reports, SSAE 16 SOC2 Type 2 reports and annual third-party penetration tests, within thirty (30) days of each such report’s completion, and any and all such other similar reports, as completed. Supplier shall, at no cost to Company, mitigate all critical and high-risk findings within ten (10) Days of receiving such findings and provide Company with evidence of such mitigation to the reasonable satisfaction of Company. Malware. Supplier will (consistent with the following sentence) ensure that no Malware or malicious software, or similar items are coded or introduced into any aspect of the Grid Services, the GSDS, the DERMS, and the Supplier information systems and operating environments and processes used or relied upon by Supplier to provide the Grid Services, including the information, data and other materials delivered by or on behalf of Supplier to Company, the customers of Company, Participants and/or third party providers (collectively, Environment). Supplier will continue to implement improvements to and upgrades of its Malware prevention and correction programs and processes consistent with the then‑current NIST technology industry’s standards and, in any case, no less robust than the programs and processes implemented by Supplier with respect to its own information systems and, on a regular basis as requested by Company, Supplier shall provide Company with sufficient evidence of the same. Supplier shall furthermore ensure that all Supplier Agents comply with the obligations of Supplier as set forth in this Section 27.1 (c) (Malware). If Malware is found to have been introduced into the Environment, Supplier will promptly notify Company, and Supplier shall take immediate action to eliminate and remediate the effects of the Malware at Supplier’s expense. Supplier shall not modify or otherwise take corrective action with respect to the Company Systems except at Company’s request. Supplier will promptly report to Company the nature and status of all security incidents, Malware detection, elimination and remediation efforts. On a regular basis as requested by the Company, Supplier shall provide Company with sufficient evidence of its efforts at continuous monitoring to evaluate the effectiveness of Supplier’s information security safeguards.