Latest Report: The 2022 Gartner® Market Guide for IT Vendor Risk Management Solutions
Simplify Third-Party Risk Assessments Against SEC Reporting Requirements
In March 2022 the U.S. Securities and Exchange Commission (SEC) proposed new rules and amendments to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance and incident reporting by public companies.
The SEC publication notes that cybersecurity risks have recently been escalating for a variety of reasons, including companies’ increasing reliance on third-party service providers for IT services and a growing number of cybersecurity incidents involving third-party service providers.
Although the SEC has not yet announced a date for when the changes will be finalized and enforced, there are several actions that third-party risk management teams can take now to begin preparing for the new requirements.
Disclose information about a material cybersecurity incident within four (4) business days after the company determines that it has experienced a material cybersecurity incident
Provide updated disclosures relating to previously disclosed immaterial cybersecurity incidents when they become material overall
Add “cybersecurity incidents” as a topic in regular reporting
Describe policies and procedures for the identification and management of risks from cybersecurity threats, and oversight of third-party service providers
Disclose in annual reports and proxy filings if any member of the company’s board of directors has expertise in cybersecurity
Disclose the board’s oversight of cybersecurity risk and management’s role and expertise in assessing and managing cybersecurity risk and implementing policies, procedures and strategies
Prepare Now for Proposed SEC Cybersecurity Disclosure Rules
This guide is ideal for any security, compliance or risk management professional who needs to prepare their organization to meet upcoming SEC requirements.
Meeting SEC Cybersecurity Disclosure Requirements
The proposed SEC rules and amendments were introduced in response to a lack of consistency in public company cybersecurity incident reporting, which can erode investor confidence. The table below summarizes key requirements for third-party risk management and incident disclosure to restore that confidence.
NOTE: This information is presented as summary guidance only. Organizations should review the complete SEC requirements in full in consultation with their auditors.
Amendments | How We Help |
---|---|
Reporting of Cybersecurity Incidents on Form 8-K |
|
“Disclose the following information about a material cybersecurity incident, to the extent the information is known at the time of the Form 8-K filing:
|
Prevalent enables your team to rapidly identify, respond to, report on, and mitigate the impact of third-party vendor security incidents as part of your broader incident management strategy. In addition to our SaaS platform solutions, Prevalent offers a managed service where our experts centrally manage your vendors; conduct proactive event risk assessments; score identified risks; correlate against continuous cyber monitoring; and issue remediation guidance – all on your behalf. Key capabilities include:
Data and relationship mapping identifies relationships between your organization and third, fourth or Nth parties to visualize information paths and reveal at-risk data. Prevalent also provides access to a database containing 10+ years of data breach history for thousands of companies around the world – including types and quantities of stolen data; compliance and regulatory issues; and real-time vendor data breach notifications. Armed with these insights, your team can better understand the scope and impact of the incident; what data was involved; whether the third party’s operations were impacted; and when remediations have been completed – all by leveraging Prevalent experts. |
Disclosure About Cybersecurity Incidents in Periodic Reports: Updates to Previously Filed Form 8-K Disclosure Item 106(d)(1) of Regulation S-K and Item 106(d)(2) of Regulation S-K |
|
“Disclose:
|
Prevalent continuously tracks and analyzes external threats to third parties. The solution monitors the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information. All monitoring data is correlated with assessment results and centralized in a unified risk register for each vendor, streamlining risk review, reporting, remediation and response initiatives. Monitoring sources include:
|
Disclosure of a Registrant’s Risk Management, Strategy and Governance Regarding Cybersecurity Risks 1. Risk Management and Strategy, Item 106(b) of Regulation S-K |
|
“The registrant has a cybersecurity risk assessment program and if so, provide a description of such program;” |
Prevalent partners with you to build a comprehensive third-party risk management (TPRM) program in line with your broader information security and governance, risk and compliance programs based on proven best practices and extensive real-world experience. Our experts collaborate with your team on defining and implementing TPRM processes and solutions; selecting risk assessment questionnaires and frameworks; and optimizing your program to address the entire third-party risk lifecycle – from sourcing and due diligence, to termination and offboarding – according to your organization’s risk appetite. As part of this process, Prevalent can help you define:
|
“The registrant engages assessors, consultants, auditors, or other third parties in connection with any cybersecurity risk assessment program;” |
Prevalent features a library of 200+ pre-built templates for third-party risk assessments. Assessments can be conducted at the time of onboarding, contract renewal, or at any required frequency (e.g., quarterly or annually). Assessments are managed centrally in the Prevalent Platform, and are backed by workflow, task management and automated evidence review capabilities to ensure that your team has visibility into third-party risks throughout the relationship lifecycle. Importantly, Prevalent delivers built-in remediation recommendations based on risk assessment results to ensure that your third parties address risks in a timely and satisfactory manner. For organizations with limited resources and expertise, Prevalent can manage the third-party risk lifecycle on your behalf – from onboarding vendors and collecting evidence, to providing remediation guidance and reporting on contract SLAs. As a result, you reduce vendor risk and simplify compliance without burdening internal staff. |
“The registrant has policies and procedures to oversee and identify the cybersecurity risks associated with its use of any third-party service provider (including, but not limited to, those providers that have access to the registrant’s customer and employee data), including whether and how cybersecurity considerations affect the selection and oversight of these providers and contractual and other mechanisms the company uses to mitigate cybersecurity risks related to these providers;” |
Prevalent enables you to assess and monitor your third parties based on extent of the threats to your information assets by capturing, tracking and quantifying inherent risks for all third parties. Criteria used to calculate inherent risk for third-party classification includes:
From this inherent risk assessment, your team can automatically tier suppliers; set appropriate levels of further diligence; and determine the scope of ongoing assessments. Rule-based tiering logic enables vendor categorization using a range of data interaction, financial, regulatory and reputational considerations. |
“The registrant undertakes activities to prevent, detect, and minimize effects of cybersecurity incidents;” |
Prevalent continuously tracks and analyzes external threats to third parties. The solution monitors the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information. All monitoring data is correlated with assessment results and centralized in a unified risk register for each vendor, streamlining risk review, reporting, remediation and response initiatives. Monitoring sources include:
|
“The registrant has business continuity, contingency, and recovery plans in the event of a cybersecurity incident;” |
Prevalent automates the assessment, continuous monitoring, analysis and remediation of risks to third-party business resilience and continuity – while automatically mapping results to NIST, ISO and other control frameworks. To complement its business resilience assessments and validate vendor questionnaire responses, Prevalent:
This proactive approach enables your organization to minimize the impact of third-party disruptions and stay on top of compliance requirements. The Prevalent Platform includes a comprehensive business resilience assessment based on ISO 22301 standard practices that enables organizations to:
When you need to terminate or exit critical services, you can leverage customizable surveys and workflows to report on system access, data destruction, access management, compliance with relevant laws, final payments, and more. The Prevalent solution also suggests actions based on answers to offboarding assessments and routes tasks to reviewers as necessary. |
“Previous cybersecurity incidents have informed changes in the registrant’s governance, policies and procedures, or technologies; ... “Cybersecurity related risk and incidents have affected or are reasonably likely to affect the registrant’s results of operations or financial condition and if so, how; and ... “Cybersecurity risks are considered as part of the registrant’s business strategy, financial planning, and capital allocation and if so, how.” |
With Prevalent, you can establish a program to efficiently achieve and demonstrate third-party governance and compliance, while ensuring that policies and procedure evolve according to changing risk dynamics. The solution automates third-party risk management compliance auditing by collecting vendor risk information, quantifying risks, recommending remediations, and generating reports for dozens of government regulations and industry frameworks. Prevalent automatically maps information gathered from control-based assessments to ISO 27001, NIST, GDPR, CoBiT 5, SSAE 18, SIG, SIG Lite, SOX, NYDFS, and other regulatory frameworks, enabling you to quickly visualize and address important compliance requirements and adjust your program accordingly – including whether or not to accept residual risks. |
Disclosure of a Registrant’s Risk Management, Strategy and Governance Regarding Cybersecurity Risks 2. Governance, Items 106(c)(1) and 106(c)(2) of Regulation S-K |
|
“Whether the entire board, specific board members or a board committee is responsible for the oversight of cybersecurity risks; ... “The processes by which the board is informed about cybersecurity risks, and the frequency of its discussions on this topic; and ... “Whether and how the board or board committee considers cybersecurity risks as part of its business strategy, risk management, and financial oversight. ... “Whether certain management positions or committees are responsible for measuring and managing cybersecurity risk, specifically the prevention, mitigation, detection, and remediation of cybersecurity incidents, and the relevant expertise of such persons or members; ... “Whether the registrant has a designated chief information security officer, or someone in a comparable position, and if so, to whom that individual reports within the registrant’s organizational chart, and the relevant expertise of any such persons; ... “The processes by which such persons or committees are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents; and ... “Whether and how frequently such persons or committees report to the board of directors or a committee of the board of directors on cybersecurity risk.” |
Prevalent provides a framework for centrally measuring third-party KRIs against your requirements and reducing gaps in vendor oversight with embedded machine learning (ML) insights and customizable, role-based reports. The capabilities can help your team to uncover risk trends, determine third-party risk status, and identify exceptions to common behavior that could warrant further investigation. Prevalent also improves efficiency by getting the right data into the right hands at the right time. This makes it easy for report recipients to quickly determine risk acceptability and make confident decisions, regardless of skill level. |
Navigate the TPRM Compliance Landscape
The Third-Party Risk Management Compliance Handbook reveals TPRM requirements in key regulations and industry frameworks, so you can achieve compliance while mitigating vendor risk.
The EBA Guidelines set out the internal governance arrangements that credit, payment, and electronic money institutions...
Office of the Comptroller of the Currency Bulletins provide guidance on assessing and managing third-party risk...
Learn about the third-party assessment requirements in Guideline B-10 from the Office of the Superintendent of...