How common? Varies by provider. Third-party tools can also be used to provide encryption as a service
Many buyers use third-party security services to verify their providers' security controls, such as ISO27001 or SOC1 and SOC2 audits. But, a vendor simply reporting that it complies with these audits in many cases does not provide end users with the information they need to evaluate the provider's system for their specific security needs.
Effectiveness: Believed insufficient
How common: Common
Full indemnification for security failure impact
In this situation, a contract would outline that if there is a security breach that the provider would be responsible for losses of the customer.
Effectiveness: Theoretically high
How common? Never
Insurance by a third party, or by the vendor could help displace costs resulting from a security or data loss issue.
Effectiveness: Potentially helpful, but like the downtime credits, does not necessarily create incentive for provider to avoid a breach
How common? Rare, but growing
Negotiate security clauses
These allow customers to negotiate higher levels of security for certain programs or data.
Effectiveness: Potentially high
How common? Mostly for large customers only