As you may remember, earlier this year the Securities and Exchange Commission (SEC) voted to propose cybersecurity rules and amendments related to disclosures, risk management and security incidents for registered investment advisers and registered investment companies. Subsequent to their vote, the SEC published the proposed rules and amendments. According to the SEC, the proposed rules are meant to provide timely notification to investors concerning material security incidents and to better inform investors about a company’s cybersecurity risk management, strategy, and governance.
The SEC seems particularly focused on a company’s ability to identify, monitor, and assess third-party service providers. For instance the proposed rules would require a company to disclose its policies and procedures to identify and manage cybersecurity risks and threats, including “policies and procedures to oversee and identify the cybersecurity risks associated with its use of any third-party service provider (including, but not limited to, those providers that have access to the registrant’s customer and employee data), including whether and how cybersecurity considerations affect the selection and oversight of these providers and contractual and other mechanisms the company uses to mitigate cybersecurity risks related to these providers.” See https://www.sec.gov/rules/proposed/2022/33-11038.pdf
As we have expressed in prior updates, the SEC seems to be taking a page from the Cybersecurity Regulation promulgated by the New York State Department of Financial Services (NYDFS), which has been in place for the last few years. For example, please pay particular attention to the last clause highlighted in the proposed rule provided above. The SEC is not only interested in how a company is managing third-party cybersecurity risks but also wants to know how a company selects such a third-party service provider in the first place and how risks are mitigated at the start of the relationship. This same approach is within the NYDFS Cybersecurity Regulation, Section 500.11, which focuses on third-party service providers and a company’s due diligence process.
The SEC explains that the increased reliance on third-party service providers for information technology services has resulted in an increase of cybersecurity incidents involving third-party vulnerabilities and cites various studies to support its position. In other words, the SEC recognizes and is focused on the risks associated with third-party service providers and the proposed rules involve all aspects of a company’s third-party due diligence process. In short, a company should thoroughly review its third-party due diligence process, including how it selects such service providers and manages third-party entities and their associated cybersecurity risks.