SEC Cybersecurity Disclosure Rules: 9 Key Questions to Ask Third Parties

In 2023, the U.S. Securities and Exchange Commission (SEC) adopted new rules and amendments to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies. The SEC publication notes that cybersecurity risks have recently escalated for various reasons, including companies’ increasing reliance on third-party service providers for IT services and a growing number of incidents traced to service providers.

These new rules took effect in December 2023, and we are starting to see the effects of not following them. The SEC has announced enforcement actions against four software companies for making misleading statements about cybersecurity risks and incidents related to the 2020 SolarWinds Breach. By downplaying how this breach affected their systems, the regulators found these companies in violation of federal securities laws, and one company also faced charges for having inadequate disclosure controls.

SEC Cybersecurity Disclosure Rules Implications on Third-Party Risk Management

These recent charges reinforce the critical importance of robust cybersecurity risk management within third-party risk management (TPRM) programs. Some key implications to highlight include:

• Enhance Cybersecurity Disclosures: Organizations must provide transparent and accurate disclosures about their cybersecurity posture, particularly regarding risks associated with third-party vendors. Misleading information can lead to significant regulatory penalties.
• Strengthen Due Diligence Processes: Companies should improve their due diligence when onboarding third-party vendors. This includes assessing vendors’ cybersecurity practices and ensuring they have robust measures to mitigate risks. Regular assessments and audits of vendor compliance are essential.
• Implement Stronger Controls and Procedures: Organizations need to establish and maintain effective internal controls for reporting cybersecurity incidents. Ensure you report all breaches involving third-party vendors promptly and accurately and establish clear communication protocols.
• Conduct Comprehensive Vendor Risk Assessments: Companies should evaluate the risks associated with each vendor based on their cybersecurity capabilities. Categorizing vendors by risk level allows organizations to tailor their risk management strategies and impose stricter cybersecurity requirements on higher-risk vendors.
• Provide Ongoing Training and Awareness: Organizations must offer employees regular training and awareness programs on the significance of accurate cybersecurity disclosures and the consequences of misleading information. Staff should understand the legal obligations related to cybersecurity risks and the importance of transparency.
• Develop Robust Incident Response Plans: Companies should create effective incident response plans that include third-party vendors. Ensure these plans address potential breaches through third-party channels, outlining communication strategies and escalation protocols.
• Stay Compliant with Regulatory Requirements: Organizations must remain vigilant about changing regulatory expectations regarding cybersecurity. The SEC’s actions indicate a trend toward increased regulatory scrutiny, making compliance with applicable laws and guidelines crucial.

Organizations should reassess and strengthen their third-party risk management programs, ensuring they can effectively manage and disclose cybersecurity risks. By doing so, they can better protect their reputation, maintain investor confidence, and mitigate potential legal and financial repercussions.

Best Practices for Third-Party Cybersecurity Risk Management, Governance, Strategy and Incident Disclosure

A well-governed third-party risk management program includes processes and technology that supports identifying, triaging, and remediating risks across the third-party lifecycle. Here are several best practices to consider as you evaluate your third-party governance program:

• Profile and tier all third parties, gaining inherent risk scores that indicate the likelihood and impact of a cybersecurity incident and enable you to right-size ongoing due diligence activities
• Automate third-party risk assessment, risk scoring and remediation processes to expedite risk mitigation
• Continuously monitor third parties for cybersecurity risks and correlate risks against assessment results to validate findings
• Automate incident response processes to speed reporting and time to resolution
• Simplify board and executive reporting to enable clear and efficient decision making
• Continually benchmark your program against accepted best practices with compliance reporting against several frameworks and regulations

Next Steps: Download the SEC Cybersecurity Disclosure Rules Checklist

For more on how Prevalent can help your organization meet SEC reporting requirements, download our SEC Cybersecurity Disclosure Rules checklist. Or, contact us to schedule a demo today.

Address the Updated SEC Cybersecurity Disclosure Rules with this Third-Party Assessment

To help public companies address these updated requirements, Prevalent has created a 9-question assessment for the security and risk management community. Use the assessment to:

• Determine the extent of third-party cybersecurity incident management
• Identify how third parties report on the operational impacts of cyber incidents
• Examine third-party cybersecurity risk assessment and risk identification programs
• Clarify remediation actions taken as part of cybersecurity incident response
• Reveal the level of management oversight into third-party cybersecurity incidents