New SEC Cybersecurity Reporting Requirements: Third-Party Risk Management Implications

2. Centralize vendor management

You can’t manage what you can’t measure. Therefore, ditch the spreadsheets and inventory your vendors with a centralized platform. This will ensure that multiple internal teams can participate in vendor management and that processes can be automated for everyone’s benefit. You can either upload your existing vendor spreadsheets into a central platform, use an API to procurement systems or other systems of record, or have internal stakeholders complete a vendor onboarding form.

3. Profile and tier all vendors to prescribe the proper due diligence

Once your vendors are centrally managed, conduct inherent risk scoring to build more comprehensive vendor profiles and to determine the appropriate frequency and scope of future assessments. As you profile and tier your third parties, consider attributes such as:

• The types of evidence that vendors must provide to demonstrate required controls
• The third party’s criticality to your business performance
• Company locations and any associated legal or regulatory obligations (e.g., GDPR)
• The extent to which each third party’s services rely on fourth parties

4. Establish regular assessment cadences

Once you’ve onboarded your vendors and scored their inherent risk, the next step is to conduct due diligence assessments. These assessments can vary according to the controls standards and compliance requirements important to your organization.

Here are some important things to consider when planning assessments:

• Do your vendor contracts compel third parties to respond to risk assessments on a timely manner?
• How frequently do you need assess each vendor? The tiering results calculated in step 3 can help inform this decision.
• Which questionnaire will be used to gather information about your vendor’s controls? Will you use industry-standard or proprietary surveys? Industry-standard surveys such as SIG, NIST or ISO assessments can simplify vendor comparisons. Proprietary or custom assessments might be necessary if you have unique requirements.
• Do you have the capability to review alternative content and evidence submissions, such as when a vendor submits a SOC 2 report instead of completing your risk assessment?

Answering these questions will help you determine which collection method to use. For example, managing the collection yourself, taking advantage of repositories of pre-completed questionnaires, outsourcing collection to a partner, or some combination of each. Your organization’s level of resources and expertise will likely guide this decision.

Regardless of the collection method, take advantage of built-in recommendations to remediate risks down to a level that is tolerable to the business.

5. Continuously monitor third parties

Periodic, questionnaire-based assessments are great, but they still leave gaps in visibility. You can cover these gaps by conducting continuous cyber monitoring of your vendors and suppliers. Typical sources of third-party cyber intelligence include criminal forums; onion pages; dark web special access forums; threat feeds; paste sites for leaked credentials; security communities; code repositories; and vulnerability and hack/breach databases.

However, not all attacks are signaled through the sources listed above. Changes in a company’s business behavior or financial performance can signal a strategy shift or lack of funding for cyber defenses. Accordingly, extend your monitoring to include public and private sources of reputational, sanctions and financial information such as:

• Business: M&A activity, business news, negative news, regulatory and legal information, operational updates.
• Financial: Turnover, profit and loss, shareholder funds.
• Global sanctions lists: OFAC, EU, UN, BOE, FBI, BIS, FDA, US HHS, UK FSA, SEC, etc.
• State-owned enterprise screening
• Politically exposed persons (PEP) lists

You can monitor these sources separately or use a vendor risk monitoring solution to centralize unify these insights into your third-party risk program.

6. Prepare audit reports in advance

Since third-party risk management will be a key control focus in the new SEC requirements, it’s important to show progress toward achieving compliance with those requirements – for auditors both outside and inside your organization. Compliance reporting can be complex and time-consuming, so built-in reporting for common regulations and industry frameworks can speed and simplify the process.

Gaining visibility into each vendor’s level of compliance can make your reporting easier. Start by establishing a compliance “pass” percentage threshold against a risk category (e.g., X% compliant against a particular framework or guideline). All reporting will tie back to that percent-compliant rating, and your team can focus on subareas where compliance pass rates are low. Be sure to also conduct compliance assessments at a macro level across all vendors; not just at the vendor-level. Macro-level reporting will be important for your board as they seek to determine how compliant your organization is against the “flavor of the month” regulation.

Next steps

At the end of the day, having centralized vendor risk assessment data for all vendors in a single platform will:

• Enable security and risk management teams to manage risks with more consistency and discipline, thereby improving governance
• Facilitate enterprise buy-in to third-party risk management initiatives
• Simplify reporting against periodic SEC audit requirements

Prevalent can help. Download Navigating the Vendor Risk Lifecycle: Keys to Success at Every Stage for more prescriptive steps and guidance, or request a demo

to discuss your needs today.