SEC 2022 Exam Priorities: Overseeing Vendor Information Security Practices

At the end of March, the Securities and Exchange Commission’s (SEC) Division of Examinations (referred to as EXAMS) released its 10th annual Examination Priorities Report, identifying five significant focus areas that they believe bring heightened risk. Of these focus areas, information security and operational resiliency are perhaps most obviously relevant to third-party risk managers. Let’s review some of the specific activities that the SEC expects of organizations.

6 Information Security Controls

The SEC states that information security controls are critical to ensure business continuity. As third-party cyberattacks continue to grow in volume and complexity, EXAMS will review organizations to ensure they’re performing the following activities, which have been extracted directly from the report:

Monitoring vendors and service providers is a fairly general requirement. Let's consider how it relates to the information security practices of the vendor. A vendor's cybersecurity posture indicates whether it’s capable of protecting your organization and customer's data by preventing, detecting and responding to incidents.

Here’s a breakdown of those 3 cybersecurity posture components:

• Prevention – Does the vendor have tools and processes in place to prevent cybersecurity incidents? Firewalls, anti-malware products, patch management practices and training for employees and the vendor’s contractors should be in place to prevent incidents like data breaches and ransomware attacks. Vulnerability and penetration testing are also important tools the vendor should have within their cybersecurity strategy.
• Detection – What processes does the vendor have related to incident detection and notification? The vendor’s incident response plan should clearly state notification stipulations as well as the role of the information security team during the notification process.
• Response – How will the vendor respond to an incident? Make sure the vendor has specified how they’ll respond to different types of attacks, as each type will require a different process. The vendor should also provide details around how they’ll contain, eradicate and recover from an incident. You should also investigate the cyber insurance coverage the vendor provides and review the amounts of coverage to ensure they’re sufficient.

4 Next Steps to Take After a Data Breach

The importance of monitoring your vendors' cybersecurity practices can’t be overstated; however, it must be accepted that data breaches from third parties are never completely preventable. Therefore, you need to determine how your organization will respond to a third-party data breach that impacts your customers. Keep these next steps in mind:

• Define the impact. Make sure you understand the scope of the breach and how many customers may have been impacted.
• Communicate with your customers. Notifying your customers about a third-party data breach is never easy, but it’s critical to remain transparent about the situation and provide timely information.
• Provide credit monitoring services. A data breach that involves non-public personal information may expose your customers to identity theft. Offering credit monitoring services can help provide your customers peace of mind after a breach.
• Re-assess your information security processes. Third-party data breaches allow you to learn valuable lessons, so think about whether you need to update any processes or implement training for your employees to help prevent future breaches.

Year after year, the SEC expects organizations to have effective processes in place to manage vendor relationships and the associated risks that come from those partnerships. Information security risk is just one type, but it’s a significant risk that can ultimately impact an organization’s resiliency.