Risk and Oversight Disclosures (SEC)
The Securities and Exchange Commission (SEC) requires public companies to disclose information about the risks they face and how they manage them. Investors need to understand the potential financial impact on the company. Here's a breakdown of Risk and Oversight Disclosures in the SEC context:
Types of Risks Disclosed:
Financial Risks: These can be related to the company's debt levels, competition, or economic conditions.
Operational Risks: These can include disruptions to the company's business, such as supply chain issues, cyberattacks, or natural disasters.
Compliance Risks: These are risks associated with violating laws or regulations.
Climate-Related Risks: The SEC recently adopted rules requiring companies to disclose how climate change could affect their business (adopted March 2024).
Oversight of these Risks:
Companies must also disclose how their board of directors oversees these risks. This includes information about the board's risk management processes and the qualifications of the directors responsible for managing risk.
Recent Developments:
The SEC has recently increased its focus on risk and oversight disclosures. Here are two examples:
Cybersecurity Disclosures (adopted March 2022): Companies must now disclose their cybersecurity risks, their strategies for managing those risks, and how their board oversees cybersecurity.
Enhanced Disclosures About Risk, Compensation, and Corporate Governance (adopted December 2009): This rule requires companies to disclose how their compensation policies impact employees' risk-taking. It also requires revealing the board's leadership structure and its role in risk oversight.
By requiring these disclosures, the SEC aims to provide investors with more information to make informed investment decisions.
How ThreatNG Can Benefit Organizations with SEC Filings Analysis
ThreatNG, as an all-in-one EASM, DRP, and security ratings solution with the ability to analyze SEC filings for "Risk and Oversight Disclosures," can significantly enhance an organization's security posture in several ways:
1. Proactive Threat Identification:
Understanding Third-Party and Supply Chain Risks: ThreatNG can analyze your vendors, suppliers, and other third-party partners' SEC filings. By identifying their disclosed risks (cybersecurity, financial, operational, etc.), you can proactively assess the potential impact on your organization.
Identifying Potential Threats Early: ThreatNG can flag potential vulnerabilities in your ecosystem by analyzing risk disclosures before exploiting them. For example, if a supplier discloses a history of cyberattacks, you can prioritize their security assessment.
2. Improved Third-Party Risk Management (TPRM):
Streamlined Vendor Onboarding: ThreatNG can automate the analysis of SEC filings during vendor onboarding, saving time and resources. It allows for a more risk-based approach to vendor selection.
Continuous Monitoring: ThreatNG can track changes in risk disclosures over time, allowing you to stay updated on the evolving risk landscape within your supply chain.
3. Enhanced Supply Chain Risk Management:
Mapping Interdependencies: ThreatNG can map out your supply chain ecosystem by analyzing the SEC filings of various partners, highlighting potential weak links and cascading risks.
Prioritizing Risk Mitigation: The solution can prioritize which suppliers need the most immediate security attention based on their disclosed risks.
4. Integration with Security, GRC, and Risk Management Solutions:
ThreatNG can integrate with various security and risk management solutions to provide a holistic view of your organization's security posture. Here's how it might work together:
Security Information and Event Management (SIEM): ThreatNG can feed risk data extracted from SEC filings into your SIEM, allowing for correlation with other security events and identifying potential threats.
Governance, Risk, and Compliance (GRC) Platform: ThreatNG can provide risk insights from SEC filings to your GRC platform, enabling a more comprehensive risk assessment and better decision-making.
Vulnerability Management Solutions: ThreatNG can identify vulnerabilities potentially related to disclosed risks in SEC filings, allowing your vulnerability management solution to prioritize patching efforts.
Example: A Retail Company and its Cloud Provider
A retail company uses ThreatNG to analyze the SEC filings of its cloud provider.
ThreatNG identifies that the cloud provider recently disclosed a data breach and is investing heavily in cybersecurity.
This information is fed into the company's SIEM and GRC platform.
The SIEM monitors any suspicious activity from the cloud provider, and the GRC platform flags the data breach as a potential compliance risk.
The retail company can then prioritize a security assessment of the cloud provider and adjust its data security measures.
By integrating threat intelligence from SEC filings with existing security solutions, ThreatNG empowers organizations to manage risks and build a more resilient security posture proactively.