Analyst Insight: The Gartner® Market Guide for IT Vendor Risk Management Solutions
SEC Cybersecurity Disclosure Rules: 9 Questions to Ask Third Parties Now
In July 2023, the U.S. Securities and Exchange Commission (SEC) adopted new rules and amendments to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance and incident reporting by public companies. The SEC publication notes that cybersecurity risks have recently been escalating for a variety of reasons, including companies’ increasing reliance on third-party service providers for IT services and a growing number of incidents traced to service providers.
The new amendments will be effective 30 days after publication in the Federal Register, and public companies are expected to begin reporting on the new requirements for fiscal years starting on or after December 15, 2023.
Prepare for the Updated SEC Cybersecurity Disclosure Rules with this Third-Party Assessment
To help public companies prepare for the new reporting requirements, Prevalent has created a 9-question assessment for the security and risk management community. Use the assessment to:
- Determine the extent of third-party cybersecurity incident management
- Identify how third parties report on the operational impacts of cyber incidents
- Examine third-party cybersecurity risk assessment and risk identification programs
- Clarify remediation actions taken as part of cybersecurity incident response
- Reveal the level of management oversight into third-party cybersecurity incidents
| Questions | Answer Choices |
|---|---|
|
1) Has the organization established a formal cybersecurity incident management process? |
Please select one of the following: a) Yes, a formal cybersecurity incident management process has been developed. b) No, a formal cybersecurity incident management process has not been developed. |
|
2) Would the organization disclose the following information about a material cybersecurity incident? |
Please select all that apply. a) When the incident was discovered and whether it is ongoing. b) A brief description of the nature and scope of the incident. c) Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose. d) The effect of the incident on the registrant’s operations. e) Whether the registrant has remediated or is currently remediating the incident. |
|
3) Following identification of a cybersecurity incident, is the material impact and potential impact on operations and financial condition recorded and disclosed? |
Please select one of the following: a) Yes, both material and potential impact to operational and financial conditions are recorded. b) No, impact to operational and financial conditions are not recorded or disclosed. |
|
4) Do disclosures of cybersecurity incidents include remediation actions taken, and where changes to policy or procedure have been made as a result of these incidents? Help text: Any changes in the registrant’s policies and procedures as a result of a cybersecurity incident should be recorded. |
Please select one of the following: a) Yes, remediation actions are taken, and changes to policy or procedures are disclosed. b) No, remediation actions are not taken, and changes to policy or procedures are not disclosed. |
|
5) Does the organization have a cybersecurity risk assessment program? |
Please select one of the following: a) Yes, a cybersecurity risk assessment program has been developed. b) No, a cybersecurity risk assessment program has not been developed. |
|
6) Has the organization established any policies and procedures to oversee and identify the cybersecurity risks associated with its use of third-party service providers? |
Please select all that apply. a) A set of policies and procedures for managing risks associated with third-party service providers is established. b) Results of risk assessments support the decision for the selection and oversight of third-party service providers. c) Risks associated with the use of third-party service providers are actioned, and security and privacy controls are defined within third-party contracts. |
|
7) Do the results of cybersecurity risk assessments factor into decisions regarding governance policies and procedures, technologies and business strategies? |
Please select one of the following: a) Yes, the results of cybersecurity risk assessments are considered when reviewing governance policies and procedures, technologies and business strategies. b) No, results of cybersecurity risk assessments are not considered when reviewing governance policies and procedures, technologies and business strategies. |
|
8) Does the organization's management, board or designated committee have responsibility for the oversight of cybersecurity risks? |
Please select one of the following: a) Yes, management, the board or a designated committee has responsibility for cybersecurity risks. b) No designated group or committee has overall responsibility for cybersecurity risks. |
|
9) Please state how the board and management receive information regarding cybersecurity risks. |
Please select all that apply. a) The board and management receive notifications about cybersecurity risks on a frequent basis. b) Cybersecurity risks are considered as part of business strategy, risk management and financial oversight planning. |
Comply with the Latest SEC Cybersecurity Disclosure Rules
This guide is ideal for any security, compliance or risk management professional who needs to prepare their organization to meet the latest SEC requirements.
Best Practices for Third-Party Cybersecurity Risk Management, Governance, Strategy and Incident Disclosure
A well-governed third-party risk management program includes processes and technology that supports identifying, triaging, and remediating risks across the third-party lifecycle. Here are several best practices to consider as you evaluate your third-party governance program:
- Profile and tier all third parties, gaining inherent risk scores that indicate the likelihood and impact of a cybersecurity incident and enable you to right-size ongoing due diligence activities
- Automate third-party risk assessment, risk scoring and remediation processes to expedite risk mitigation
- Continuously monitor third parties for cybersecurity risks and correlate risks against assessment results to validate findings
- Automate incident response processes to speed reporting and time to resolution
- Simplify board and executive reporting to enable clear and efficient decision making
- Continually benchmark your program against accepted best practices with compliance reporting against several frameworks and regulations
Next Steps: Download the SEC Cybersecurity Disclosure Rules Checklist
For more on how Prevalent can help your organization meet SEC reporting requirements, download our SEC Cybersecurity Disclosure Rules checklist. Or, contact us to schedule a demo today.
It All Starts Here
Ready to see how Prevalent can take the pain out of your TPRM program? Request a free, no-obligation demo today.
Request Demo-
NIST CSF 2.0: Implications for Your Third-Party Risk Management Program
Enhanced cybersecurity supply chain risk management guidance is coming in NIST CSF 2.0. Check out the...
09/12/2023
-
The NIST AI Risk Management Framework and Third-Party Risk Management
Leverage this guidance to align your TPRM program with the NIST AI RMF to better govern...
08/30/2023
-
Complying with OSFI Guideline B-10 for Third-Party Risk Management
Learn about the third-party assessment requirements in Guideline B-10 from the Office of the Superintendent of...
07/20/2023
-
Ready for a demo?
- Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
- Request a Demo