New SEC regulations and impact on 3rd parties

With the latest proposed SEC cybersecurity rules coming out this spring, many organizations consider them a non-event as they regulate public companies. Not so fast. While the proposed rules directly apply to publicly traded companies, there are details that also impact their vendors, suppliers, and third parties.

The SEC is looking for “registrants to provide more consistent and informative disclosure regarding their cybersecurity risk management and strategy.” The details of the rules hone in on requirements to “oversee and identify the cybersecurity risks associated with its use of any third-party service provider”.  The push to oversee and identify cyber risks in 3rd parties will increase the scrutiny of those public companies on their vendors and suppliers. In turn, it will become even more important for those vendors and suppliers to truly understand their own cybersecurity posture.

We’ve seen this already in the third party risk management space. Companies are increasing their assessment of suppliers, pushing out more security questionnaires, and it’s creating a tax on those being assessed.  Much of the time lost on completing these is not by the assessor company, but by the vendor trying to determine how to answer or even if they can answer the questions being asked.

The best approach is not to wait until the first assessment comes in to determine how to go about that process, but to assess your organization while not under the stress to produce an answer set.  Conducting a risk assessment not only informs your overall strategy to address cybersecurity as a business risk, it also provides insight to potentially better solutions or processes to implement, staff to hire or train, and policies to shore up.  Collectively, these are the building blocks of a program that will inevitably be asked about and required to be discussed whether it’s a customer, board member, or regulator asking.

The SEC is pushing for change because this type of reform is necessary to address risk and better inform shareholders, but it will have a knock on effect to the supply chains and all third party providers to those publicly traded companies.