Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.


How Your Organization and Vendors Can Comply With the SEC Data Breach Notification Rule

5 min read
Featured Image

On July 26, the Securities and Exchange Commission (SEC) released its final rule for disclosure related to cybersecurity incidents for all publicly traded companies. According to the final rule, the requirements are in response to three specific trends:

Note: The italics indicate what’s directly from the final rule.

  • First, an ever-increasing share of economic activity is dependent on electronic systems, such that disruptions to those systems can have significant effects on registrants and, in the case of large-scale attacks, systemic effects on the economy as a whole.
  • Second, there has been a substantial rise in the prevalence of cybersecurity incidents, propelled by several factors: the increase in remote work spurred by the COVID-19 pandemic; the increasing reliance on third-party service providers for information technology services; and the rapid monetization of cyberattacks facilitated by ransomware, black markets for stolen data, and crypto-asset technology.
  • Third, the costs and adverse consequences of cybersecurity incidents to companies are increasing; such costs include business interruption, lost revenue, ransom payments, remediation costs, liabilities to affected parties, cybersecurity protection costs, lost assets, litigation risks, and reputational damage.

The rule was revised, and the scope of disclosed information was narrowed, since its proposal in March 2022. The newly adopted rule is still intended to provide consistent and comparable disclosures that would help investors evaluate an organization’s exposure to cybersecurity risks and incidents. It would also help evaluate an organization’s ability to manage and minimize those risks. That should enable investors to make informed decisions.

Summary of Requirements for Your Organization and Vendors

  • Investigate immediately – After discovering an incident, organizations should promptly assess if it’s considered material and file an Item 1.05 Form 8-K within four business days. The clock starts ticking from the day the incident is determined as material – not within four days of the incident.
  • Comply with regulations – When determining materiality, it’s important to follow federal securities guidelines, which consider both quantitative and qualitative factors.
  • Delay only if necessary – To delay the filing of an Item 1.05 Form 8-K, an organization must receive written notification from the U.S. attorney general stating that immediate disclosure would pose a significant risk to public safety or national security.

When an incident occurs, organizations must provide:  

  • A detailed description of what happened, including the extent and timing of the incident's impact on the organization. If the necessary information isn’t known yet, the 8-K filing should disclose this fact. Organizations should update it later when more information is determined or available.
  • The organization’s process, if any, for assessing, identifying, and managing material risks from cybersecurity threats, including: 
    • If cybersecurity is included in the comprehensive risk management plan, if external consultants, auditors, or third parties are involved, and if there are processes in place to monitor and detect risks associated with third-party usage.
    • Details regarding the extent cybersecurity threats have been exerted or are anticipated to significantly influence the organization’s business strategy, financial condition, or operations. 
    • Disclosure of the board's responsibility for overseeing cybersecurity risks and management's role in evaluating and addressing significant cybersecurity threats.
    • The qualifications of the individuals in charge of the organization’s cybersecurity management.

The newly adopted rule also applies to Foreign Private Issuers. They must provide information on material cybersecurity incidents that they disclose or publicize in a foreign jurisdiction to stock exchanges or security holders using Form 6-K.

Foreign Private Issuers are also required to use Form 20-F to:

  • Provide an explanation of how the board oversees and manages cybersecurity risks
  • Explain how management is responsible for identifying and handling material risks associated with cybersecurity threats    

SEC breach notification rule

Next Steps for Your Organization and Vendors to Prepare for Compliance With the SEC Rule

The rule becomes effective on August 28, 2023, 30 days after its initial publication. Beyond reading and reviewing both the adopted rule and the fact sheet, it’s important to keep the following in mind to ensure compliance:

  1. Organizations should review and update their information security program. Document processes for identifying and mitigating cybersecurity risk, including how it assesses third-party risk. They should also examine reporting and governance processes, including cybersecurity incident response plans, to ensure they can promptly determine whether a cybersecurity incident, or a series of cybersecurity incidents, is material and requires reporting under the new rule.
  2. Board members must understand the significance of active participation in supervising the organization’s cybersecurity risk management. This is highlighted by the final rule. Board members should be kept informed about the organization’s cybersecurity hazards and any incidents that occur. They must consider how these factors are incorporated into the organization’s business strategy and financial planning.
  3. Management must understand the cybersecurity risks of the organization and the strategies implemented to control those risks. They must collaborate with the organization’s cybersecurity team to guarantee the efficiency of the cyber risk management program and promptly disclose any major cybersecurity risks and incidents.
  4. The cybersecurity incident response team should establish procedures for quickly detecting and assessing cybersecurity incidents. They should also provide sufficient information to leadership and counsel so they can assess the significance of an incident and report it immediately if it’s considered significant.

Organizations that fall under the new regulation must recognize that cybersecurity risk is a crucial business risk and take appropriate measures. Per the requirement, they must reveal significant cybersecurity incidents.

To stay ahead of the competition and prevent severe financial losses and loss of investor trust, organizations must take significant steps toward managing cybersecurity risk. This responsibility falls not only on the cybersecurity teams but also on the board and management. They must be aware and engaged to guarantee that the organization's cybersecurity policies, risk management practices, and controls, along with those of third parties, are identified, managed, and monitored.

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo