New SEC Cybersecurity Reporting Requirements: Third-Party Risk Management Implications

Public companies will need to formalize their third-party risk management programs to meet new SEC reporting requirements. Here’s where to start.
By:
Scott Lang
,
VP, Product Marketing
March 29, 2022
Share:
Blog sec reporting tprm 0322

The U.S. Securities and Exchange Commission (SEC) recently introduced new requirements for publicly traded companies to notify the government when they are hacked. These reporting updates are designed to better inform investors about cybersecurity governance and practices at the companies in their portfolios.

Notably for third-party risk management programs, the new governance disclosures will require updates on risk assessments, with an emphasis on risks that the company may take on by using outside or third-party services. According to the proposed regulation, companies will also be asked about security audits, business continuity plans, and how cybersecurity fits into their broader business strategy.

For public companies that lack a formalized third-party risk management program, now is the time to add some structure to your processes. Here are 6 steps to take.

1. Start with a maturity assessment

Start by determining how mature your existing third-party risk management (TPRM) processes are. We recommend leveraging the Capability Maturity Model to gain a snapshot of current processes. This maturity model evaluates five aspects of your TRPM program:

  1. Coverage: How comprehensive is the program scope? Do you have visibility into all vendors and suppliers in your organization’s third-party ecosystem?
  2. Content: Do you have processes to ensure that risk assessment questionnaires remain up-to-date and appropriate for all types of third parties being assessed?
  3. Roles & Responsibilities: Are contributors to your TPRM program aware of their responsibilities and expected level of involvement within operational workflows?
  4. Remediation: Is remediation conducted in a consistent manner, and have processes been optimized to improve program efficiency?
  5. Governance: How is program performance measured? Are you able to demonstrate its success? Do you have the appropriate metrics to inform strategic direction?

Grade each of the above areas on a scale of 1 (initial) to 5 (optimizing) to identify which need the most attention. Prevalent offers a complimentary TPRM maturity assessment service to guide you through this process.

Free TPRM Maturity Assessment

Work with Prevalent experts to get in-depth report on the state of your current TPRM program, plus practical recommendations for how to bring it to the next level.

Get Started
Datasheet tprm platform nov 2019

2. Centralize vendor management

You can’t manage what you can’t measure. Therefore, ditch the spreadsheets and inventory your vendors with a centralized platform. This will ensure that multiple internal teams can participate in vendor management and that processes can be automated for everyone’s benefit. You can either upload your existing vendor spreadsheets into a central platform, use an API to procurement systems or other systems of record, or have internal stakeholders complete a vendor onboarding form.

3. Profile and tier all vendors to prescribe the proper due diligence

Once your vendors are centrally managed, conduct inherent risk scoring to build more comprehensive vendor profiles and to determine the appropriate frequency and scope of future assessments. As you profile and tier your third parties, consider attributes such as:

  • The types of evidence that vendors must provide to demonstrate required controls
  • The third party’s criticality to your business performance
  • Company locations and any associated legal or regulatory obligations (e.g., GDPR)
  • The extent to which each third party’s services rely on fourth parties

4. Establish regular assessment cadences

Once you’ve onboarded your vendors and scored their inherent risk, the next step is to conduct due diligence assessments. These assessments can vary according to the controls standards and compliance requirements important to your organization.

Here are some important things to consider when planning assessments:

  • Do your vendor contracts compel third parties to respond to risk assessments on a timely manner?
  • How frequently do you need assess each vendor? The tiering results calculated in step 3 can help inform this decision.
  • Which questionnaire will be used to gather information about your vendor’s controls? Will you use industry-standard or proprietary surveys? Industry-standard surveys such as SIG, NIST or ISO assessments can simplify vendor comparisons. Proprietary or custom assessments might be necessary if you have unique requirements.
  • Do you have the capability to review alternative content and evidence submissions, such as when a vendor submits a SOC 2 report instead of completing your risk assessment?

Answering these questions will help you determine which collection method to use. For example, managing the collection yourself, taking advantage of repositories of pre-completed questionnaires, outsourcing collection to a partner, or some combination of each. Your organization’s level of resources and expertise will likely guide this decision.

Regardless of the collection method, take advantage of built-in recommendations to remediate risks down to a level that is tolerable to the business.

5. Continuously monitor third parties

Periodic, questionnaire-based assessments are great, but they still leave gaps in visibility. You can cover these gaps by conducting continuous cyber monitoring of your vendors and suppliers. Typical sources of third-party cyber intelligence include criminal forums; onion pages; dark web special access forums; threat feeds; paste sites for leaked credentials; security communities; code repositories; and vulnerability and hack/breach databases.

However, not all attacks are signaled through the sources listed above. Changes in a company’s business behavior or financial performance can signal a strategy shift or lack of funding for cyber defenses. Accordingly, extend your monitoring to include public and private sources of reputational, sanctions and financial information such as:

  • Business: M&A activity, business news, negative news, regulatory and legal information, operational updates.
  • Financial: Turnover, profit and loss, shareholder funds.
  • Global sanctions lists: OFAC, EU, UN, BOE, FBI, BIS, FDA, US HHS, UK FSA, SEC, etc.
  • State-owned enterprise screening
  • Politically exposed persons (PEP) lists

You can monitor these sources separately or use a vendor risk monitoring solution to centralize unify these insights into your third-party risk program.

6. Prepare audit reports in advance

Since third-party risk management will be a key control focus in the new SEC requirements, it’s important to show progress toward achieving compliance with those requirements – for auditors both outside and inside your organization. Compliance reporting can be complex and time-consuming, so built-in reporting for common regulations and industry frameworks can speed and simplify the process.

Gaining visibility into each vendor’s level of compliance can make your reporting easier. Start by establishing a compliance “pass” percentage threshold against a risk category (e.g., X% compliant against a particular framework or guideline). All reporting will tie back to that percent-compliant rating, and your team can focus on subareas where compliance pass rates are low. Be sure to also conduct compliance assessments at a macro level across all vendors; not just at the vendor-level. Macro-level reporting will be important for your board as they seek to determine how compliant your organization is against the “flavor of the month” regulation.

Navigating the Vendor Risk Lifecycle: Keys to Success

This complimentary guide details best practices for successfully managing risk throughout the vendor lifecycle. See what we've learned in our 20+ years of experience working with hundreds of customers.

Read Now
Feature navigating vendor risk lifecycle

Next steps

At the end of the day, having centralized vendor risk assessment data for all vendors in a single platform will:

  • Enable security and risk management teams to manage risks with more consistency and discipline, thereby improving governance
  • Facilitate enterprise buy-in to third-party risk management initiatives
  • Simplify reporting against periodic SEC audit requirements

Prevalent can help. Download Navigating the Vendor Risk Lifecycle: Keys to Success at Every Stage for more prescriptive steps and guidance, or request a demo

to discuss your needs today.

Tags:
Share:
Leadership scott lang
Scott Lang
VP, Product Marketing

Scott Lang has 25 years of experience in security, currently guiding the product marketing strategy for Prevalent’s third-party risk management solutions where he is responsible for product content, launches, messaging and enablement. Prior to joining Prevalent, Scott was senior director of product marketing at privileged access management leader BeyondTrust, and before that director of security solution marketing at Dell, formerly Quest Software.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo