Supply chain attacks are one of the biggest cybersecurity threats of our time. Gartner predicts that by 2025, 45 percent of organizations will have experienced an attack on their software supply chains, demonstrating a need for stronger cybersecurity regulations for organizations within the value chain industry.
SEC cybersecurity reporting regulations
In response to the growing threat landscape, on July 26, 2023, The Securities and Exchange Commission (SEC) adopted the “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure” rules, which will be effective from September 5, 2023.
Under the new ruling, organizations are required to proactively understand and demonstrate compliance with these new obligations by reporting significant cybersecurity incidents to the SEC. Disclosure of cybersecurity risks and incidents to investors, among other market participants where their advisory services are materially affected, is also a requirement.
Impact on supply chains
The increasing number of breaches of third-party vendors has made it critical for companies to understand their supply chain and the risks an attack can pose to their organization. Failing to comply with these regulations may expose organizations to potential cyber threats, reputational risks, and legal consequences.
The proposed rule requirements can be broken down into three major categories and control initiatives:
- Cybersecurity risk-management policies and procedures and aligning around a cybersecurity framework to ensure that access controls, network and infrastructure security, vulnerability management, incident response, and other areas are consistent across the organization and its supply chain
- Reporting significant cybersecurity incidents to the SEC
- Disclosure of cybersecurity risks and incidents
Implications
Implications of the rule differ depending on whether an organization is or is not SEC listed.
- SEC-listed organizations: Compliance with the rule involves a significant shift in their approach to cybersecurity and digital risk management, going beyond the traditional confines of IT and technology functions. SEC-listed businesses are likely to have significant concerns about their supply chain depth, as this could reveal cybersecurity weaknesses stemming from dealings with non-SEC registrants providing crucial services to the SEC registrant.
- Non-SEC listed organizations: The critical risk for these businesses will be identifying SEC-listed clients to whom material services are provided. Where weaknesses exist or are suspected, it is expected that SEC-listed organizations will seek to impose warranties, liabilities, and indemnities throughout their supply chain to protect themselves against SEC noncompliance.
Potential consequences for noncompliance include financial penalties levied by the SEC, increased compliance costs if the organization chooses to be reactive rather than proactive on the issue, and the cost of the time and effort to remedy issues with disclosure after the fact. It is recommended that organizations proactively demonstrate compliance to avoid these potential consequences.
Read more about this topic and key implications for organizations: SEC regulations and their impact. For more supply chain insights from Tony Pelli, read CTPAT risk assessment: Why it matters and CTPAT security guidelines: Protecting the global supply chain. For further insights on other digital trust, privacy, information security, and environmental, health, and safety topics that should be at the top of your organization's list, visit BSI's Experts Corner.
