Analyst Insight: The Gartner® Market Guide for IT Vendor Risk Management Solutions

Hero reputational financial monitoring

U.S. SEC Cybersecurity Disclosure Rules Compliance

Simplify Third-Party Risk Assessments Against SEC Reporting Requirements

In July 2023 the U.S. Securities and Exchange Commission (SEC) adopted new rules and amendments to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance and incident reporting by public companies.

The SEC publication notes that cybersecurity risks have recently been escalating for a variety of reasons, including companies’ increasing reliance on third-party service providers for IT services and a growing number of cybersecurity incidents involving third-party service providers.

The new amendments will be effective 30 days after publication in the Federal Register, and public companies are expected to begin reporting on the new requirements for fiscal years starting on or after December 15, 2023.

Relevant Requirements

  • Disclose information about a material cybersecurity incident within four business days after the company determines that the incident is material.

  • Provide updated disclosures relating to previously disclosed cybersecurity incidents when they become material overall

  • Explain management's role in cybersecurity governance

Comply with the Latest SEC Cybersecurity Disclosure Rules

This guide is ideal for any security, compliance or risk management professional who needs to prepare their organization to meet the latest SEC requirements.

Read Now
Feature sec cybersecurity checklist

Meeting SEC Cybersecurity Disclosure Requirements

The SEC rules and amendments were introduced in response to a lack of consistency in public company cybersecurity incident reporting, which can erode investor confidence. The table below summarizes key requirements for third-party risk management and incident disclosure to restore that confidence.

NOTE: This information is presented as summary guidance only. Organizations should review the complete SEC requirements in full in consultation with their auditors.

Amendments How We Help

Reporting of Cybersecurity Incidents on Form 8-K
Item 1.05

“Describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.”

Prevalent enables your team to rapidly identify, respond to, report on, and mitigate the impact of third-party vendor security incidents as part of your broader incident management strategy.

In addition to our SaaS platform solutions, Prevalent offers a managed service where our experts centrally manage your vendors; conduct proactive event risk assessments; score identified risks; correlate against continuous cyber monitoring; and issue remediation guidance – all on your behalf.

Key capabilities include:

  • Continuously updated and customizable event and incident management questionnaires
  • Real-time questionnaire completion progress tracking
  • Defined risk owners with automated chasing reminders to keep surveys on schedule
  • Proactive vendor reporting
  • Consolidated views of risk ratings, counts, scores and flagged responses for each vendor
  • Workflow rules to trigger automated playbooks to act on risks according to their potential impact on the business
  • Built-in reporting templates for internal and external stakeholders
  • Guidance from built-in remediation recommendations to reduce risk
  • Data and relationship mapping to identify relationships between your organization and third, fourth or Nth parties to visualize information paths and reveal at-risk data.

Prevalent also provides access to a database containing 10+ years of data breach history for thousands of companies around the world – including types and quantities of stolen data; compliance and regulatory issues; and real-time vendor data breach notifications.

Armed with these insights, your team can better understand the scope and impact of the incident; what data was involved; whether the third party’s operations were impacted; and when remediations have been completed – all by leveraging Prevalent experts.

Disclosure About Cybersecurity Incidents in Periodic Reports: Updates to Previously Filed Form 8-K Disclosure

“Disclose information that would have initially been reported on the Form 8-K had it been known or available at the time of initial disclosure.”

Prevalent continuously tracks and analyzes external threats to third parties. The solution monitors the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information.

All monitoring data is correlated with assessment results and centralized in a unified risk register for each vendor, streamlining risk review, reporting, remediation and response initiatives.

Monitoring sources include:

  • 1,500+ criminal forums; thousands of onion pages; 80+ dark web special access forums; 65+ threat feeds; and 50+ paste sites for leaked credentials — as well as several security communities, code repositories, and vulnerability databases covering 550,000 companies
  • A database containing 10+ years of data breach history for thousands of companies around the world
    Prevalent also incorporates business, reputational and financial data to add context to cyber findings and measure the impact of incidents over time.

Disclosure of a Registrant’s Cybersecurity Risk Management and Strategy

Item 106(b) of Regulation S-K

“Whether and how the described cybersecurity processes in Item 106(b) have been integrated into the registrant’s overall risk management system or processes”

Prevalent partners with you to build a comprehensive third-party risk management (TPRM) program in line with your broader information security and governance, risk and compliance programs based on proven best practices and extensive real-world experience.

Our experts collaborate with your team on defining and implementing TPRM processes and solutions; selecting risk assessment questionnaires and frameworks; and optimizing your program to address the entire third-party risk lifecycle – from sourcing and due diligence, to termination and offboarding – according to your organization’s risk appetite.

As part of this process, Prevalent can help you define:

  • Clear roles and responsibilities (e.g., RACI)
  • Third-party inventories
  • Risk scoring and thresholds based on your organization’s risk tolerance
  • Assessment and monitoring methodologies based on third-party criticality
  • Fourth-party mapping
  • Sources of continuous monitoring data (cyber, business, reputational, financial)
  • Key performance indicators (KPIs) and key risk indicators (KRIs)
  • Governing policies, standards, systems and processes to protect data
  • Compliance and contractual reporting requirements against service levels
  • Incident response requirements
  • Risk and internal stakeholder reporting
  • Risk mitigation and remediation strategies

“Whether the registrant engages assessors, consultants, auditors, or other third parties in connection with any such processes”

Prevalent features a library of 200+ pre-built templates for third-party risk assessments. Assessments can be conducted at the time of onboarding, contract renewal, or at any required frequency (e.g., quarterly or annually) depending on material changes.

Assessments are managed centrally in the Prevalent Platform, and are backed by workflow, task management and automated evidence review capabilities to ensure that your team has visibility into third-party risks throughout the relationship lifecycle.

Importantly, Prevalent delivers built-in remediation recommendations based on risk assessment results to ensure that your third parties address risks in a timely and satisfactory manner and can provide appropriate evidence to auditors.

The solution automates third-party risk management compliance auditing by collecting vendor risk information, quantifying risks, recommending remediations, and generating reports for dozens of government regulations and industry frameworks.

Prevalent automatically maps information gathered from control-based assessments to ISO 27001, NIST, GDPR, CoBiT 5, SSAE 18, SIG, SIG Lite, SOX, NYDFS, and other regulatory frameworks, enabling you to quickly visualize and address important compliance requirements and adjust your program accordingly – including whether or not to accept residual risks.

For organizations with limited resources and expertise, Prevalent can manage the third-party risk lifecycle on your behalf – from onboarding vendors and collecting evidence, to providing remediation guidance and reporting on contract SLAs. As a result, you reduce vendor risk and simplify compliance without burdening internal staff.

“Whether the registrant has processes to oversee and identify material risks from cybersecurity threats associated with its use of any third-party service provider”

Prevalent enables you to assess and monitor your third parties based on extent of the threats to your information assets by capturing, tracking and quantifying inherent risks for all third parties. Criteria used to calculate inherent risk for third-party classification includes:

  • Type of content required to validate controls
  • Criticality to business performance and operations
  • Location(s) and related legal or regulatory considerations
  • Level of reliance on fourth parties (to avoid concentration risk)
  • Exposure to operational or client-facing processes
  • Interaction with protected data
  • Financial status and health
  • Reputation

From this inherent risk assessment, your team can automatically tier suppliers; set appropriate levels of further diligence; and determine the scope of ongoing assessments.

Rule-based tiering logic enables vendor categorization using a range of data interaction, financial, regulatory and reputational considerations.

Disclosure of a Registrant’s Management’s Role and Board Role in Cybersecurity Governance

Items 106(c)(1) and 106(c)(2) of Regulation S-K

“The processes by which the board is informed about cybersecurity risks, and the frequency of its discussions on this topic; and ...

“The processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents ...

“Whether such persons or committees report information about such risks to the board of directors or a committee or subcommittee of the board of directors"

Prevalent provides a framework for centrally measuring third-party KRIs against your requirements and reducing gaps in vendor oversight with embedded machine learning (ML) insights and customizable, role-based reports.

The capabilities can help your team to uncover risk trends, determine third-party risk status, and identify exceptions to common behavior that could warrant further investigation.

Prevalent also improves efficiency by getting the right data into the right hands at the right time. This makes it easy for report recipients to quickly determine risk acceptability and make confident decisions, regardless of skill level.

Align Your TPRM Program with ISO, NIST, SOC 2 and More

Download this guide to review specific requirements from 11 different cybersecurity authorities, identify TPRM capabilities that map to each requirement, and uncover best practices for ensuring compliance.

Read Now
Featured resource compliance handbook cybersecurity
  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo