The Securities and Exchange Commission (SEC) has recently adopted new rules that require public companies and foreign issuers to disclose material information about their cybersecurity risk management, strategy, governance, and incidents. These rules aim to enhance and standardize cybersecurity disclosures for investors, companies, and the markets. This rule will give investors better visibility into the security posture of public companies and their exposure to cyberattacks, heightening the importance of having a strong risk management program in place.
In this blog post, we will summarize the new SEC disclosure requirements, explain the importance of vendor risk management, and share some best practices when developing a vendor risk management program.
The New SEC Disclosure Requirements
The new SEC rules have two main components: current disclosure of material cybersecurity incidents and periodic disclosure of cybersecurity risk management, strategy, and governance.
Current Disclosure of Material Cybersecurity Incidents
Public companies must disclose any cybersecurity incident they determine to be material and describe the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the company. An Item 1.05 Form 8-K is generally due four business days after a company determines that a cybersecurity incident is material. The disclosure may be delayed if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the SEC of such determination in writing. Foreign private issuers must make comparable disclosures on Form 6-K for material cybersecurity incidents.
Periodic Disclosure of Cybersecurity Risk Management, Strategy, and Governance
As part of the new requirements, public companies must describe their processes for assessing, identifying, and managing risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents on an annual basis. Item 106 also requires companies to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats. These disclosures must be made in a company’s Annual Report on Form 10-K. Foreign private issuers must make comparable disclosures on Form 20-F for cybersecurity risk management, strategy, and governance.
The new SEC rules will become effective 30 days following publication of the adopting release in the Federal Register. The Form 10-K and Form 20-F disclosures will be due beginning with annual reports for fiscal years ending on or after December 15, 2023.
Why Public Companies Should Prioritize Vendor Risk Management
These new requirements underscore the importance of having strong risk management programs in place. Vendor risk management is a critical component of an organization’s broader risk management strategy as nearly 60% of cybersecurity breaches can be traced to third-party vendors. Vendor risk management is the process of identifying, assessing, mitigating, and monitoring the risks associated with third-party vendors that provide products or services to a company.
By effectively managing vendor risk, companies can help protect themselves against potential disclosures of cybersecurity incidents that may affect their business operations, financial condition, reputation, or legal obligations. Additionally, companies need to be more transparent about their risk management strategy in their annual reports and it will be important to demonstrate that they have an effective vendor risk management program in place.
Best Practices for Developing a Vendor Risk Management Program
To reduce their exposure to vendor-related cyber risks, companies should follow some best practices when developing a vendor risk management program. Here are some suggestions:
- Conduct due diligence during the vendor vetting process to evaluate the vendors’ qualifications, security and data privacy practices, financial stability, reputation, and past performance
- Develop a comprehensive inventory of vendors and suppliers and bucket them based on their criticality and potential risk to the business
- Conduct regular risk assessments to identify and remediate potential risks and vulnerabilities associated with the vendors’ products or services
- Continuously monitor the attack surfaces of vendors
- Develop an incident response plan outlining the steps to be taken in case of a security breach or other incident involving the vendor
- Develop escalation and remediation procedures for addressing security incidents or other issues involving the vendor
By following these best practices, companies can develop a robust and effective vendor risk management program that can help them navigate the SEC cybersecurity disclosure requirements and protect their business from vendor-related risks.
ProcessBolt offers a fully-integrated, AI-driven vendor risk management platform that uniquely enables organizations to assess and continuously monitor their vendor networks.
Contact us today to learn more about how we can assist you!