Third-party cyber risk is a material business risk, according to new SEC cybersecurity incident disclosure requirements. The final rule notes that 98 percent of organizations use at least one third-party vendor that has experienced a breach in the last two years.
At the end of July, the Commission voted 3-2 to issue long-awaited regulations that mandate uniform cyber incident disclosures for public companies.
Public companies have anticipated the final rule for over a year, marked by extensive public input and lobbying efforts from business and cyber experts. The SEC received 150 public comments on the proposed rules and ultimately listened to comments and concerns – including notable changes to the reporting requirement for national security and public safety cases.
The SEC attributes the necessity of new requirements to current cybersecurity trends, such as the growing dependence on third-party service providers. Public companies must begin disclosing breaches to the SEC this December. Therefore, now is the time to understand the new rulings and align internal processes with compliance.
Cybersecurity incidents occurring on third-party systems are NOT exempt
The SEC’s…
