Simplify Third-Party Risk Assessments Against SEC Reporting Requirements
In July 2023 the U.S. Securities and Exchange Commission (SEC) adopted new rules and amendments to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance and incident reporting by public companies.
The SEC publication notes that cybersecurity risks have recently been escalating for a variety of reasons, including companies’ increasing reliance on third-party service providers for IT services and a growing number of cybersecurity incidents involving third-party service providers.
The new amendments and reporting requirements officially took effect on December 18, 2023.
Disclose information about a material cybersecurity incident within four business days after the company determines that the incident is material.
Provide updated disclosures relating to previously disclosed cybersecurity incidents when they become material overall
Explain management's role in cybersecurity governance
Comply with the Latest SEC Cybersecurity Disclosure Rules
This guide is ideal for any security, compliance or risk management professional who needs to prepare their organization to meet the latest SEC requirements.
Meeting SEC Cybersecurity Disclosure Requirements
The SEC rules and amendments were introduced in response to a lack of consistency in public company cybersecurity incident reporting, which can erode investor confidence. The table below summarizes key requirements for third-party risk management and incident disclosure to restore that confidence.
NOTE: This information is presented as summary guidance only. Organizations should review the complete SEC requirements in full in consultation with their auditors.
Amendments | How We Help |
---|---|
Reporting of Cybersecurity Incidents on Form 8-K |
|
“Describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.” |
Prevalent enables your team to rapidly identify, respond to, report on, and mitigate the impact of third-party vendor security incidents as part of your broader incident management strategy. In addition to our SaaS platform solutions, Prevalent offers a managed service where our experts centrally manage your vendors; conduct proactive event risk assessments; score identified risks; correlate against continuous cyber monitoring; and issue remediation guidance – all on your behalf. Key capabilities include:
Prevalent also provides access to a database containing 10+ years of data breach history for thousands of companies around the world – including types and quantities of stolen data; compliance and regulatory issues; and real-time vendor data breach notifications. Armed with these insights, your team can better understand the scope and impact of the incident; what data was involved; whether the third party’s operations were impacted; and when remediations have been completed – all by leveraging Prevalent experts. |
Disclosure About Cybersecurity Incidents in Periodic Reports: Updates to Previously Filed Form 8-K Disclosure |
|
“Disclose information that would have initially been reported on the Form 8-K had it been known or available at the time of initial disclosure.” |
Prevalent continuously tracks and analyzes external threats to third parties. The solution monitors the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information. All monitoring data is correlated with assessment results and centralized in a unified risk register for each vendor, streamlining risk review, reporting, remediation and response initiatives. Monitoring sources include:
|
Disclosure of a Registrant’s Cybersecurity Risk Management and Strategy Item 106(b) of Regulation S-K |
|
“Whether and how the described cybersecurity processes in Item 106(b) have been integrated into the registrant’s overall risk management system or processes” |
Prevalent partners with you to build a comprehensive third-party risk management (TPRM) program in line with your broader information security and governance, risk and compliance programs based on proven best practices and extensive real-world experience. Our experts collaborate with your team on defining and implementing TPRM processes and solutions; selecting risk assessment questionnaires and frameworks; and optimizing your program to address the entire third-party risk lifecycle – from sourcing and due diligence, to termination and offboarding – according to your organization’s risk appetite. As part of this process, Prevalent can help you define:
|
“Whether the registrant engages assessors, consultants, auditors, or other third parties in connection with any such processes” |
Prevalent features a library of 750+ pre-built templates for third-party risk assessments. Assessments can be conducted at the time of onboarding, contract renewal, or at any required frequency (e.g., quarterly or annually) depending on material changes. Assessments are managed centrally in the Prevalent Platform, and are backed by workflow, task management and automated evidence review capabilities to ensure that your team has visibility into third-party risks throughout the relationship lifecycle. Importantly, Prevalent delivers built-in remediation recommendations based on risk assessment results to ensure that your third parties address risks in a timely and satisfactory manner and can provide appropriate evidence to auditors. The solution automates third-party risk management compliance auditing by collecting vendor risk information, quantifying risks, recommending remediations, and generating reports for dozens of government regulations and industry frameworks. Prevalent automatically maps information gathered from control-based assessments to ISO 27001, NIST, GDPR, CoBiT 5, SSAE 18, SIG, SIG Lite, SOX, NYDFS, and other regulatory frameworks, enabling you to quickly visualize and address important compliance requirements and adjust your program accordingly – including whether or not to accept residual risks. For organizations with limited resources and expertise, Prevalent can manage the third-party risk lifecycle on your behalf – from onboarding vendors and collecting evidence, to providing remediation guidance and reporting on contract SLAs. As a result, you reduce vendor risk and simplify compliance without burdening internal staff. |
“Whether the registrant has processes to oversee and identify material risks from cybersecurity threats associated with its use of any third-party service provider” |
Prevalent enables you to assess and monitor your third parties based on extent of the threats to your information assets by capturing, tracking and quantifying inherent risks for all third parties. Criteria used to calculate inherent risk for third-party classification includes:
From this inherent risk assessment, your team can automatically tier suppliers; set appropriate levels of further diligence; and determine the scope of ongoing assessments. Rule-based tiering logic enables vendor categorization using a range of data interaction, financial, regulatory and reputational considerations. |
Disclosure of a Registrant’s Management’s Role and Board Role in Cybersecurity Governance Items 106(c)(1) and 106(c)(2) of Regulation S-K |
|
“The processes by which the board is informed about cybersecurity risks, and the frequency of its discussions on this topic; and ... “The processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents ... “Whether such persons or committees report information about such risks to the board of directors or a committee or subcommittee of the board of directors" |
Prevalent provides a framework for centrally measuring third-party KRIs against your requirements and reducing gaps in vendor oversight with embedded machine learning (ML) insights and customizable, role-based reports. The capabilities can help your team to uncover risk trends, determine third-party risk status, and identify exceptions to common behavior that could warrant further investigation. Prevalent also improves efficiency by getting the right data into the right hands at the right time. This makes it easy for report recipients to quickly determine risk acceptability and make confident decisions, regardless of skill level. |
Align Your TPRM Program with ISO, NIST, SOC 2 and More
Download this guide to review specific requirements from 11 different cybersecurity authorities, identify TPRM capabilities that map to each requirement, and uncover best practices for ensuring compliance.
Prepare for the updated SEC requirements by asking your vendors and suppliers about their cybersecurity risk...
The EBA Guidelines set out the internal governance arrangements that credit, payment, and electronic money institutions...
Learn about the third-party assessment requirements in Guideline B-10 from the Office of the Superintendent of...