our services:
Enlighta Solutions
were on social media:
SEC Cybersecurity Rules & Third-Party Disclosure: What Public Companies Must Do Now
If your organization is publicly traded — or if you serve one as a vendor — the SEC’s cybersecurity disclosure rules have fundamentally changed how third-party risk must be governed, reported, and communicated to investors.
The Rule, in Plain English
On July 26, 2023, the SEC adopted its final rule: “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure”. Requirements took effect for most registrants in mid-December 2023, with Regulation S-P amendments carrying a compliance deadline of June 3, 2026. The rule creates two layers of obligation — incident reporting and annual program disclosure — and third-party vendors sit squarely at the center of both.
The Third-Party Disclosure Mandate
The SEC’s language is explicit: companies must disclose whether they have “processes to oversee and identify material risks from cybersecurity threats associated with their use of any third-party service provider”. This is not optional language buried in guidance — it is a named disclosure item under Regulation S-K Item 106.
Three specific questions must be answered in annual filings:
- Are your vendor risk management processes integrated into your overall risk management system?
- Do you engage third-party assessors, consultants, or auditors to evaluate cybersecurity risk?
- Do you have active processes to oversee and monitor cybersecurity risks from your vendor base?
Vendor Incidents Trigger Your Disclosure Obligations
This is the clause that catches most organizations off guard: a breach on a vendor’s systems can trigger your SEC reporting obligation — even if your own infrastructure was never touched. The SEC is unambiguous — materiality is determined by impact on the registrant, not by where the affected systems reside or who owns them.
In practice, this means:
- A cloud provider, payroll platform, or SaaS tool breach that materially impacts your operations or data must be disclosed
- You must file Form 8-K within 4 business days of determining a cybersecurity incident is material
- Your vendor contracts must give you the right to receive timely incident information from suppliers — without it, you cannot meet your own reporting deadlines
Board-Level Accountability Is Now Mandatory
The rule doesn’t stop at operational processes — it reaches the boardroom. Companies must disclose in their annual reports:
- The board’s role in overseeing cybersecurity risk, including third-party risks
- Management’s role in assessing, monitoring, and escalating cybersecurity threats
- Whether any board member possesses relevant cybersecurity expertise
The SEC’s message is clear: cybersecurity risk — including third-party risk — is a governance issue, not just a technical one. Boards that rubber-stamp annual security reviews without meaningful engagement now carry legal exposure.
What This Means for Your Vendor Program
Requirement | What It Demands |
Vendor Risk Inventory | Categorize all vendors by risk level; higher-risk vendors need stricter controls mitratech |
Contract Rights | All vendor agreements must include rights to receive incident notifications and audit capabilities dorsey |
Ongoing Monitoring | One-time onboarding assessments are insufficient; continuous monitoring is expected bitsight |
4-Day Incident Pipeline | Internal escalation processes must surface vendor-originated incidents fast enough for timely disclosure safe |
Annual 10-K Disclosure | Program maturity, governance structure, and third-party oversight must be documented and disclosed cpajournal |
The Bottom Line
The SEC has made it legally clear: your third-party risk program is a disclosure item. Organizations that cannot demonstrate active, structured oversight of vendor cybersecurity — documented, integrated, and board-supervised — are not just operationally exposed; they face regulatory penalties and investor liability. The compliance window for Regulation S-P closes on June 3, 2026, making right now the critical moment to close gaps in vendor governance infrastructure.
