New SEC Cyber Rules Bring Third-Party Risk and Compliance to Forefront

The recent implementation of new cybersecurity incident disclosure requirements by the U.S. Securities and Exchange Commission (SEC) has placed third-party cyber risk squarely in the spotlight. These new regulations underscore the materiality of third-party cyber risk, emphasizing its significance as a business risk. The SEC's final rule acknowledges that a substantial number of organizations, approximately 98%, rely on third-party vendors that have suffered breaches within the last two years.

After more than a year of anticipation, the SEC voted 3-2 at the end of July to introduce uniform cyber incident disclosure mandates for publicly traded companies. This rule comes after extensive engagement with industry experts, businesses, and cyber specialists, with the SEC having received 150 public comments on the proposed regulations. The final rule reflects the agency's responsiveness to feedback, including adjustments to reporting requirements in cases related to national security and public safety.

The imperative for these new requirements is rooted in the evolving landscape of cybersecurity trends, notably the increasing reliance on third-party service providers. The effective date for public companies to begin disclosing breaches to the SEC is December, prompting an urgency for organizations to comprehend the new regulations and align internal procedures accordingly.

Significantly, the final rule dispels any notion of exemption for cybersecurity incidents occurring on third-party systems. The SEC emphasizes that the materiality of an incident is not determined by the location of the electronic systems or their custodians. As companies increasingly depend on third-party cloud services, the immediate control over data becomes less relevant, rendering any breach on third-party systems as non-exempt.

Given that a typical company interacts with thousands of vendors, the intricate web of relationships elevates the risk associated with the attack surface. Traditional manual approaches to assessing third-party security controls are deemed inadequate in such a complex environment. With the new rules impending, public companies must commence their compliance initiatives immediately.

Key Strategies for Effective Third-Party Cyber Risk Management:

1. Holistic Vendor Ecosystem Understanding: To overcome the challenges of third-party visibility and exposure, adopting external attack surface management can replace cumbersome manual processes. This approach ensures that supply chain risk is continually understood and addressed.
2. Standardized Cyber Risk Measurement: Regulated entities must embrace a process that provides defensible and traceable measurements of their security investments. Cybersecurity risk scores offer data-driven insights for informed risk assessment. Understanding the cyber risk score of partnered organizations aids in making decisions on acceptable risk.
3. Focused Risk Mitigation and Remediation: Expressing risk in terms of business impact, including monetary value, compels business leaders to drive remediation endeavors. Furthermore, a systematic process is necessary to verify that third-party vendors fulfill their risk obligations as stipulated in contracts.

In an era marked by escalating cybersecurity threats and an increasing reliance on third parties, the demand for measuring security posture is on the rise. Organizations are urged to adopt a proactive stance, leveraging real-time data to inform cybersecurity efforts and employing meaningful metrics to navigate cyber risk across the digital supply chain. As the landscape evolves, prioritizing third-party risk management becomes a non-negotiable aspect of operational resilience and compliance.

The new SEC rules have galvanized organizations to intensify their focus on third-party cyber risk, compelling them to build robust strategies and systems to navigate the evolving landscape of cybersecurity threats and ensure compliance with regulatory mandates.