What contractual provision specifically allocates cybersecurity responsibilities between a company and its third-party vendor?