Third-party cyber risk is a material business risk, according to new SEC cybersecurity incident disclosure requirements. The final rule notes that 98 percent of organizations use at least one third-party vendor that has experienced a breach in the last two years.
At the end of July, the Commission voted 3-2 to issue long-awaited regulations that mandate uniform cyber incident disclosures for public companies.
Public companies have anticipated the final rule for over a year, marked by extensive public input and lobbying efforts from business and cyber experts. The SEC received 150 public comments on the proposed rules and ultimately listened to comments and concerns – including notable changes to the reporting requirement for national security and public safety cases.
The SEC attributes the necessity of new requirements to current cybersecurity trends, such as the growing dependence on third-party service providers. Public companies must begin disclosing breaches to the SEC this December. Therefore, now is the time to understand the new rulings and align internal processes with compliance.
Cybersecurity incidents occurring on third-party systems are NOT exempt
The SEC’s final rule mentions the term “third-party” 39 times total and states, “Whether an incident is material is not based on where the relevant electronic systems reside or who holds them. In other words, we do not believe a reasonable investor would view a significant breach of a registrant’s data as immaterial merely because the data were housed on a third-party system, especially as companies increasingly rely on third-party cloud services that may place their data out of their immediate control.”
Simply put, cybersecurity incidents occurring on third-party systems are not exempt. Considering a typical company deals with thousands of vendors and must look at risk in the context of this complex ecosystem, the attack surface risk is exponentially high.
Demand grows to understand attack surface and third-party cyber risk
Traditional, manual approaches for assessing third-party security controls are not adequate, especially when thousands of external parties are involved. With the new rules going into effect in only a few months, public companies must begin their compliance journey today.
Three key strategies for third-party cyber risk management
Organizations building programs to deliver the insights needed to comply with the new SEC rules should start with three specific efforts to build real-time insights into their cyber risk management programs:
- Discover a 360-degree view of the vendor ecosystem: Supply chain risks continue to form a web of complexity and volatility. To overcome third-party visibility and exposure challenges, external attack surface management can replace time-consuming manual processes to verify that supply chain risk is understood and remediated continuously.
- Standardize cyber risk measurement: Regulated entities must adopt a defensible and traceable process for measuring the outcome of their security investments. Cybersecurity risk scores are designed to automate and inform risk assessment with data-driven insights. Knowing the cyber risk score of the organizations a company works with also helps make informed decisions about whether the associated risk is acceptable.
- Prioritize third-party risk mitigation and remediation: Expressing risk in business terms using data-driven analysis, especially in currency value, keeps business leaders motivated to drive remediation efforts. Additionally, organizations must have processes in place to verify that third-party vendors perform their contracted risk obligations, including risk reporting, security incident notifications, and business continuity plans.
Every major cyber crisis brings the spotlight back on risk management and resilience. The increasing focus on cybersecurity threats and reliance on third parties drive demand to measure security posture. Organizations must adopt an attackers’ mindset, drive action with trusted, real-time data, and measure cybersecurity with meaningful metrics to manage cyber risk across the digital supply chain.
The views expressed here are the writer’s and are not necessarily endorsed by Homeland Security Today, which welcomes a broad range of viewpoints in support of securing our homeland. To submit a piece for consideration, email editor @ hstoday.us.