Consulting Agreement for Cybersecurity

The unique risks of cybersecurity consulting

Cybersecurity consulting carries three risks no generic services contract addresses: criminal exposure under the CFAA without written authorization, loss of attorney-client privilege if the firm is engaged directly by the client instead of by outside counsel, and SEC reporting clocks that start ticking the moment the consultant tells the client a finding is "material." Each one belongs in the engagement letter, not in an email thread.

The work is not one thing. A vCISO writes board memos and never touches a terminal. A red team simulates an APT against production and needs explicit RoE covering social engineering, physical access, and cloud control plane attacks. A digital forensics and incident response (DFIR) firm preserves disk images that may become evidence in litigation or a DOJ proceeding — chain of custody matters. A SOC 2 or HITRUST readiness consultant produces a roadmap that an auditor will later read. The contract has to name which service and govern accordingly.

The third reality is that the consultant is often the first to find a breach. State breach-notification clocks (most are 30–60 days, but Texas is 30 days, Florida is 30 days, Maine is 30 days; HIPAA is 60 days under 45 CFR 164.404), the SEC Form 8-K Item 1.05 4-business-day rule, and the new CIRCIA reporting obligations for critical infrastructure entities all assume timely escalation. If the contract says "consultant will notify client of incidents in a commercially reasonable timeframe," the client has already lost the argument with regulators.

Industry-specific clauses to include

• Rules of Engagement (RoE) Exhibit: Lists IP ranges, hostnames, AWS accounts, third-party services NOT in scope, test windows, prohibited techniques (DoS, social engineering of executives, physical access, etc.), emergency stop contact, and an authorization letter the tester can carry on-site. This is the CFAA defense.
• Privilege & Kovel-Style Engagement: Where breach-related work is anticipated, engagement should be through outside counsel under a written Kovel letter so work product and attorney-client privilege attach (see In re Capital One Consumer Data Sec. Breach Litig., 2020 — Mandiant's report was held NOT privileged because the engagement was reframed mid-incident).
• Incident Notification SLA: Critical findings within 4 hours, high within 24 hours, material breach immediately, with parallel obligation for the consultant to preserve logs and evidence under a litigation-hold standard.
• SEC Materiality Coordination Clause: Consultant agrees not to publish a "material" characterization in writing without coordinating with client's general counsel, given the SEC Form 8-K Item 1.05 4-business-day clock under the 2023 cyber disclosure rule.
• Data Processing & Subprocessor Schedule: Lists all subprocessors (cloud forensics platforms, threat-intel feeds, offshore SOC tier-1, etc.) with their location and role; required if any client data is personal data under GDPR Art. 28 or US state privacy laws.
• Non-Training Clause: Prohibits the consultant from using client data, logs, source code, or findings to train any AI/ML model or to benchmark against other clients without explicit written consent.
• Retest & Remediation Validation: Defines whether a follow-up validation test is included in fee, and at what severity threshold; common omission that creates scope disputes after a vulnerability is patched.
• Insurance Schedule: Technology E&O / Cyber Liability of $5M minimum (the market default for mid-market security consultancies; $10M+ for DFIR firms), with breach response and regulatory defense sub-limits called out.
• Background Checks & Personnel: Consultant warrants all assigned personnel passed a criminal background check within the last 12 months and US persons-only restriction where ITAR/EAR-controlled environments are in scope.
• IP & Custom Tooling: Distinguishes consultant's pre-existing toolkit (Metasploit modules, Burp extensions, internal scripts — consultant retains) from custom exploit chains, client-specific detection rules, and the final report (assigned to client).

Common mistakes in cybersecurity consulting agreements

• Pen test without a signed RoE. The "go ahead and start" Slack message is not authorization. If the tester accidentally crosses into a sibling AWS account or hits a third-party SaaS the client doesn't actually own, the tester is one DA letter away from a CFAA problem.
• Breach-response firm engaged directly by the company. Capital One lost privilege on a $190M+ incident because Mandiant was a long-time vendor doing what looked like ordinary business work. Engage breach DFIR through outside counsel from day one.
• "Commercially reasonable" incident notification. Useless under SEC Item 1.05, HIPAA's 60-day rule, or CCPA. Use hard hours with a documented escalation tree.
• No retest scope. Findings come in, the team patches, then asks "are we fixed?" — and the consultant says "that's a new SOW." Define retest scope and validity window (typically 60–90 days) up front.
• Sharing reports broadly inside the client. A pen test report is an attack map. Limit distribution to a named list, mark Highly Confidential, and store in an encrypted repository. Several large breaches have started from a leaked internal pen test report.
• Silent on AI/LLM use by consultant. If the firm feeds client source code into a public LLM to triage findings, the client may have a contract or trade-secret problem. Address training, retention, and tool stack in the contract.

Regulatory landscape

The legal backstop for any testing work is the Computer Fraud and Abuse Act (18 USC 1030), which makes unauthorized access a federal crime; the Van Buren v. United States (2021) decision narrowed but did not eliminate exposure, and authorization needs to be in writing. The DMCA anti-circumvention rules (17 USC 1201) create separate exposure for security research on copy-protected systems unless covered by the Library of Congress triennial security research exemption. Wiretap Act (18 USC 2511) issues arise in network packet capture; client-employer consent typically suffices but the contract should document it.

Sector overlays: HIPAA Security Rule (45 CFR Part 164 Subpart C) for any work touching ePHI, including incident reports; GLBA Safeguards Rule (16 CFR Part 314, as amended December 2021 and effective May 2023) for financial services with the new 30-day customer notice requirement at 16 CFR 314.4(j); SEC Regulation S-P (17 CFR Part 248) with the May 2024 amendments requiring 30-day customer notification of incidents; SEC cyber disclosure rule at 17 CFR 229.106 and Form 8-K Item 1.05 (4-business-day materiality disclosure for public companies, effective December 18, 2023); CIRCIA (6 USC 681b) requiring covered critical infrastructure entities to report cyber incidents to CISA within 72 hours and ransomware payments within 24 hours (rule finalization expected 2026); and state breach laws across all 50 states with varying clocks (NY SHIELD Act, California Civil Code 1798.82, Texas BCD 521.053, etc.).

Frameworks commonly referenced in scope: NIST CSF 2.0 (February 2024), NIST SP 800-53 Rev. 5, NIST SP 800-61 Rev. 3 (incident response), NIST SP 800-115 (technical security testing), ISO/IEC 27001:2022, CIS Controls v8, PCI DSS v4.0.1 (effective March 31, 2025), SOC 2 Trust Services Criteria (2017, revised 2022), HITRUST CSF v11, and FedRAMP for any cloud work touching federal data. Cross-border tooling exposure: Wassenaar Arrangement and EAR 740.17(b) on intrusion-software exports if exploit code crosses borders, and OFAC sanctions screening for any incident response retainer that might encounter ransomware payment scenarios (OFAC's October 2020 advisory on facilitating ransomware payments was updated in September 2021 and remains live).

Sample fee structure

Cybersecurity consulting prices vary by specialty and city; the following ranges reflect the US market in 2025–2026:

• vCISO retainer: $8,000–$25,000/month for 20–40 hours; senior practitioners with board-reporting experience price at $400–$700/hour blended.
• External penetration test (network/web): $15,000–$45,000 per scope; PCI-scoped retests $25,000–$60,000; senior testers bill $300–$500/hour internally.
• Red team engagement (4–8 weeks): $80,000–$250,000 with assumed-breach scenario design and physical components.
• SOC 2 Type II readiness: $30,000–$120,000 over 4–6 months, plus audit firm fees (separate $25,000–$80,000 for the auditor).
• HIPAA Security Risk Assessment (per 45 CFR 164.308(a)(1)(ii)(A)): $10,000–$45,000 depending on entity size.
• Incident response retainer: $5,000–$25,000/year for guaranteed response SLA, then $400–$900/hour for senior DFIR responders (Mandiant, CrowdStrike Services, Unit 42, and Kroll are at the upper end).
• Breach response engagement: $150,000–$2M+ depending on scope; assume blended $500/hour and a typical mid-size incident is 600–2,000 hours.

For incident response work, negotiate fees with outside counsel in the loop and require monthly burn reports against a not-to-exceed cap; cyber insurance policies typically require pre-approved panel firms and panel rates.

How to draft this in Word with LexDraft

Open the LexDraft add-in and start from the consulting agreement template, then attach the Rules of Engagement as an exhibit and import the incident notification SLA, non-training, and insurance schedule clauses. For breach response work, draft the engagement under a Kovel letter via outside counsel rather than direct. If you are also putting a confidentiality agreement in front of a pen test prospect before signing the main SOW, the NDA template is a clean starting point, (and see the full templates library) covers how the pieces fit. Comparing tools? See LexDraft vs Spellbook.

Frequently asked questions