New Report: The 2022 Gartner® Market Guide for IT Vendor Risk Management Solutions

Hero reputational financial monitoring

U.S. SEC Cybersecurity Disclosure Rules Compliance

Simplify Third-Party Risk Assessments Against SEC Reporting Requirements

In March 2022 the U.S. Securities and Exchange Commission (SEC) proposed new rules and amendments to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance and incident reporting by public companies.

The SEC publication notes that cybersecurity risks have recently been escalating for a variety of reasons, including companies’ increasing reliance on third-party service providers for IT services and a growing number of cybersecurity incidents involving third-party service providers.

Although the SEC has not yet announced a date for when the changes will be finalized and enforced, there are several actions that third-party risk management teams can take now to begin preparing for the new requirements.

Relevant Requirements

  • Disclose information about a material cybersecurity incident within four (4) business days after the company determines that it has experienced a material cybersecurity incident

  • Provide updated disclosures relating to previously disclosed immaterial cybersecurity incidents when they become material overall

  • Add “cybersecurity incidents” as a topic in regular reporting

  • Describe policies and procedures for the identification and management of risks from cybersecurity threats, and oversight of third-party service providers

  • Disclose in annual reports and proxy filings if any member of the company’s board of directors has expertise in cybersecurity

  • Disclose the board’s oversight of cybersecurity risk and management’s role and expertise in assessing and managing cybersecurity risk and implementing policies, procedures and strategies

Prepare Now for Proposed SEC Cybersecurity Disclosure Rules

This guide is ideal for any security, compliance or risk management professional who needs to prepare their organization to meet upcoming SEC requirements.

Read Now
Feature sec cybersecurity checklist

Meeting SEC Cybersecurity Disclosure Requirements

The proposed SEC rules and amendments were introduced in response to a lack of consistency in public company cybersecurity incident reporting, which can erode investor confidence. The table below summarizes key requirements for third-party risk management and incident disclosure to restore that confidence.

NOTE: This information is presented as summary guidance only. Organizations should review the complete SEC requirements in full in consultation with their auditors.

Amendments How We Help

Reporting of Cybersecurity Incidents on Form 8-K
Item 1.05

“Disclose the following information about a material cybersecurity incident, to the extent the information is known at the time of the Form 8-K filing:

  • When the incident was discovered and whether it is ongoing;
  • A brief description of the nature and scope of the incident;
  • Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose;
  • The effect of the incident on the registrant’s operations; and
  • Whether the registrant has remediated or is currently remediating the incident.”

Prevalent enables your team to rapidly identify, respond to, report on, and mitigate the impact of third-party vendor security incidents as part of your broader incident management strategy.

In addition to our SaaS platform solutions, Prevalent offers a managed service where our experts centrally manage your vendors; conduct proactive event risk assessments; score identified risks; correlate against continuous cyber monitoring; and issue remediation guidance – all on your behalf.

Key capabilities include:

  • Continuously updated and customizable event and incident management questionnaires
  • Real-time questionnaire completion progress tracking
  • Defined risk owners with automated chasing reminders to keep surveys on schedule
  • Proactive vendor reporting
  • Consolidated views of risk ratings, counts, scores and flagged responses for each vendor
  • Workflow rules to trigger automated playbooks to act on risks according to their potential impact on the business
  • Built-in reporting templates for internal and external stakeholders
  • Guidance from built-in remediation recommendations to reduce risk

Data and relationship mapping identifies relationships between your organization and third, fourth or Nth parties to visualize information paths and reveal at-risk data.

Prevalent also provides access to a database containing 10+ years of data breach history for thousands of companies around the world – including types and quantities of stolen data; compliance and regulatory issues; and real-time vendor data breach notifications.

Armed with these insights, your team can better understand the scope and impact of the incident; what data was involved; whether the third party’s operations were impacted; and when remediations have been completed – all by leveraging Prevalent experts.

Disclosure About Cybersecurity Incidents in Periodic Reports: Updates to Previously Filed Form 8-K Disclosure

Item 106(d)(1) of Regulation S-K and Item 106(d)(2) of Regulation S-K

“Disclose:

  • Any material impact of the incident on the registrant’s operations and financial condition;
  • Any potential material future impacts on the registrant’s operations and financial condition;
  • Whether the registrant has remediated or is currently remediating the incident; and
  • Any changes in the registrant’s policies and procedures as a result of the cybersecurity incident, and how the incident may have informed such changes.”

Prevalent continuously tracks and analyzes external threats to third parties. The solution monitors the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information.

All monitoring data is correlated with assessment results and centralized in a unified risk register for each vendor, streamlining risk review, reporting, remediation and response initiatives.

Monitoring sources include:

  • 1,500+ criminal forums; thousands of onion pages; 80+ dark web special access forums; 65+ threat feeds; and 50+ paste sites for leaked credentials — as well as several security communities, code repositories, and vulnerability databases covering 550,000 companies
  • A database containing 10+ years of data breach history for thousands of companies around the world
    Prevalent also incorporates business, reputational and financial data to add context to cyber findings and measure the impact of incidents over time.

Disclosure of a Registrant’s Risk Management, Strategy and Governance Regarding Cybersecurity Risks

1. Risk Management and Strategy, Item 106(b) of Regulation S-K

“The registrant has a cybersecurity risk assessment program and if so, provide a description of such program;”

Prevalent partners with you to build a comprehensive third-party risk management (TPRM) program in line with your broader information security and governance, risk and compliance programs based on proven best practices and extensive real-world experience.

Our experts collaborate with your team on defining and implementing TPRM processes and solutions; selecting risk assessment questionnaires and frameworks; and optimizing your program to address the entire third-party risk lifecycle – from sourcing and due diligence, to termination and offboarding – according to your organization’s risk appetite.

As part of this process, Prevalent can help you define:

  • Clear roles and responsibilities (e.g., RACI)
  • Third-party inventories
  • Risk scoring and thresholds based on your organization’s risk tolerance
  • Assessment and monitoring methodologies based on third-party criticality
  • Fourth-party mapping
  • Sources of continuous monitoring data (cyber, business, reputational, financial)
  • Key performance indicators (KPIs) and key risk indicators (KRIs)
  • Governing policies, standards, systems and processes to protect data
  • Compliance and contractual reporting requirements against service levels
  • Incident response requirements
  • Risk and internal stakeholder reporting
  • Risk mitigation and remediation strategies

“The registrant engages assessors, consultants, auditors, or other third parties in connection with any cybersecurity risk assessment program;”

Prevalent features a library of 200+ pre-built templates for third-party risk assessments. Assessments can be conducted at the time of onboarding, contract renewal, or at any required frequency (e.g., quarterly or annually).

Assessments are managed centrally in the Prevalent Platform, and are backed by workflow, task management and automated evidence review capabilities to ensure that your team has visibility into third-party risks throughout the relationship lifecycle.

Importantly, Prevalent delivers built-in remediation recommendations based on risk assessment results to ensure that your third parties address risks in a timely and satisfactory manner.

For organizations with limited resources and expertise, Prevalent can manage the third-party risk lifecycle on your behalf – from onboarding vendors and collecting evidence, to providing remediation guidance and reporting on contract SLAs. As a result, you reduce vendor risk and simplify compliance without burdening internal staff.

“The registrant has policies and procedures to oversee and identify the cybersecurity risks associated with its use of any third-party service provider (including, but not limited to, those providers that have access to the registrant’s customer and employee data), including whether and how cybersecurity considerations affect the selection and oversight of these providers and contractual and other mechanisms the company uses to mitigate cybersecurity risks related to these providers;”

Prevalent enables you to assess and monitor your third parties based on extent of the threats to your information assets by capturing, tracking and quantifying inherent risks for all third parties. Criteria used to calculate inherent risk for third-party classification includes:

  • Type of content required to validate controls
  • Criticality to business performance and operations
  • Location(s) and related legal or regulatory considerations
  • Level of reliance on fourth parties (to avoid concentration risk)
  • Exposure to operational or client-facing processes
  • Interaction with protected data
  • Financial status and health
  • Reputation

From this inherent risk assessment, your team can automatically tier suppliers; set appropriate levels of further diligence; and determine the scope of ongoing assessments.

Rule-based tiering logic enables vendor categorization using a range of data interaction, financial, regulatory and reputational considerations.

“The registrant undertakes activities to prevent, detect, and minimize effects of cybersecurity incidents;”

Prevalent continuously tracks and analyzes external threats to third parties. The solution monitors the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information.

All monitoring data is correlated with assessment results and centralized in a unified risk register for each vendor, streamlining risk review, reporting, remediation and response initiatives.

Monitoring sources include:

  • 1,500+ criminal forums; thousands of onion pages; 80+ dark web special access forums; 65+ threat feeds; and 50+ paste sites for leaked credentials — as well as several security communities, code repositories, and vulnerability databases covering 550,000 companies
  • A database containing 10+ years of data breach history for thousands of companies around the world

“The registrant has business continuity, contingency, and recovery plans in the event of a cybersecurity incident;”

Prevalent automates the assessment, continuous monitoring, analysis and remediation of risks to third-party business resilience and continuity – while automatically mapping results to NIST, ISO and other control frameworks.

To complement its business resilience assessments and validate vendor questionnaire responses, Prevalent:

  • Automates continuous cyber monitoring that may predict possible third-party business impacts
  • Accesses qualitative insights from over 550,000 public and private sources of reputational information that could signal vendor instability
  • Taps into financial information from a global network of 2 million businesses to identify vendor financial health or operational concerns

This proactive approach enables your organization to minimize the impact of third-party disruptions and stay on top of compliance requirements.

The Prevalent Platform includes a comprehensive business resilience assessment based on ISO 22301 standard practices that enables organizations to:

  • Categorize suppliers according to their risk profile and criticality to the business
  • Outline recovery point objectives (RPOs) and recovery time objectives (RTOs)
  • Centralize system inventory, risk assessments, RACI charts, and third parties
  • Ensure consistent communications with suppliers during business disruptions

When you need to terminate or exit critical services, you can leverage customizable surveys and workflows to report on system access, data destruction, access management, compliance with relevant laws, final payments, and more. The Prevalent solution also suggests actions based on answers to offboarding assessments and routes tasks to reviewers as necessary.

“Previous cybersecurity incidents have informed changes in the registrant’s governance, policies and procedures, or technologies; ...

“Cybersecurity related risk and incidents have affected or are reasonably likely to affect the registrant’s results of operations or financial condition and if so, how; and ...

“Cybersecurity risks are considered as part of the registrant’s business strategy, financial planning, and capital allocation and if so, how.”

With Prevalent, you can establish a program to efficiently achieve and demonstrate third-party governance and compliance, while ensuring that policies and procedure evolve according to changing risk dynamics.

The solution automates third-party risk management compliance auditing by collecting vendor risk information, quantifying risks, recommending remediations, and generating reports for dozens of government regulations and industry frameworks.

Prevalent automatically maps information gathered from control-based assessments to ISO 27001, NIST, GDPR, CoBiT 5, SSAE 18, SIG, SIG Lite, SOX, NYDFS, and other regulatory frameworks, enabling you to quickly visualize and address important compliance requirements and adjust your program accordingly – including whether or not to accept residual risks.

Disclosure of a Registrant’s Risk Management, Strategy and Governance Regarding Cybersecurity Risks

2. Governance, Items 106(c)(1) and 106(c)(2) of Regulation S-K

“Whether the entire board, specific board members or a board committee is responsible for the oversight of cybersecurity risks; ...

“The processes by which the board is informed about cybersecurity risks, and the frequency of its discussions on this topic; and ...

“Whether and how the board or board committee considers cybersecurity risks as part of its business strategy, risk management, and financial oversight. ...

“Whether certain management positions or committees are responsible for measuring and managing cybersecurity risk, specifically the prevention, mitigation, detection, and remediation of cybersecurity incidents, and the relevant expertise of such persons or members; ...

“Whether the registrant has a designated chief information security officer, or someone in a comparable position, and if so, to whom that individual reports within the registrant’s organizational chart, and the relevant expertise of any such persons; ...

“The processes by which such persons or committees are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents; and ...

“Whether and how frequently such persons or committees report to the board of directors or a committee of the board of directors on cybersecurity risk.”

Prevalent provides a framework for centrally measuring third-party KRIs against your requirements and reducing gaps in vendor oversight with embedded machine learning (ML) insights and customizable, role-based reports.

The capabilities can help your team to uncover risk trends, determine third-party risk status, and identify exceptions to common behavior that could warrant further investigation.

Prevalent also improves efficiency by getting the right data into the right hands at the right time. This makes it easy for report recipients to quickly determine risk acceptability and make confident decisions, regardless of skill level.

Navigate the TPRM Compliance Landscape

The Third-Party Risk Management Compliance Handbook reveals TPRM requirements in key regulations and industry frameworks, so you can achieve compliance while mitigating vendor risk.

Read Now
Feature tprm compliance handbook 0821
  • Ready to get started?
  • Schedule a personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo