New from SEC: Cybersecurity Final Rule on Reporting Hits Third Party Risk

a cropped image of a stop light against a clear blue sky
Jake Olcott
Written by Jake Olcott
VP of Communications and Government Affairs, Bitsight

In one of the most important cybersecurity regulatory developments in recent memory, the U.S. Securities and Exchange Commission (SEC) recently adopted new cybersecurity requirements for publicly traded companies, creating new obligations for reporting “material” cybersecurity incidents and requiring more detailed disclosure of cybersecurity risk management, expertise, and governance. Companies are required to disclose risks in their annual reports beginning on December 15, 2023.

Although the SEC cybersecurity disclosure requirements are drafted relatively broadly, there is one particular area in which the SEC requires specific disclosure: third party risk. In fact, the SEC clearly states in its regulation that companies should disclose whether they have “processes to oversee and identify such risks from cybersecurity threats associated with its use of any third-party service provider.”

Why the explicit focus on third party risk? The SEC recognizes that third parties are increasingly the source of significant cyber risk to an organization. Fueled by the accelerated digital transformation and the shift to the cloud, organizations are turning to more third party vendors to increase efficiency, innovation, and competitive advantage. However, the risk of experiencing a cybersecurity incident introduced by a third party has also risen dramatically. Some of the biggest and costliest data breaches in history used third-party vendors and software vulnerability exploits across the supply chain as entry points. The SEC is clear: a third party incident could absolutely materially impact a company.

Security leaders who are involved with their company’s SEC cyber disclosure strategy should pay close attention to their third party cyber risk management program. They should ensure that their company’s third party cyber risk strategy includes, at a minimum, the following three components:

  1. Identify, categorize, and prioritize third party suppliers, vendors, and business partners 
  2. Perform vendor risk assessments using a risk-based approach, to identify risk thresholds for these third parties.
  3. Continuously monitor and reassess cyber risks of these third parties, including changes in their security posture, exposure to new vulnerabilities, fourth party risks, etc.

Organizations may rely on dozens, hundreds, thousands-–and even tens of thousands-–of third party vendors every day to provide strategic services. Due to the increased reliance on outsourcing, the need to automatically and continuously monitor and manage vendors is not an option—it’s a business imperative.

Building a comprehensive program that addresses each of these critical components will allow CISOs to confidently report on their initiatives to internal and external stakeholders alike. Bitsight Vendor Risk Management and Bitsight Third Party Risk Management solutions empower risk leaders to manage their digital ecosystem from start to finish—accelerating risk assessments and continuously monitoring to uncover and mitigate blind spots across their digital ecosystem.

Get started today. Use this Bitsight e-book as a guide to elevate your organization’s comprehensive, scalable third party cyber risk management program.