The Securities and Exchange Commission adopted rules mandating that public companies disclose cybersecurity incidents. This annual requirement also stipulates that companies must share risk management, strategy, and governance for digital systems and practices.

The SEC rules directly affect software and CISOs

Looking to protect investors, the SEC’s new requirements hold companies responsible for data breaches. This means that CISOs are ultimately liable for organizational incursions and data theft. In the case of software supply chain attacks, a CISO may be held responsible for a breach even if the exploited vulnerability occurred higher up the software supply chain. 

Even without a data breach, companies and CISOs now assume additional risk in investment and even public trust, where this information disclosure may show insufficient software protections within an organization. To protect both investors and the organization—while remaining in legal compliance—CISOs must implement policies and practices that remedy software supply chain risks.

5 steps for addressing supply chain risks

1. Build a complete map of your supply chain
   
   A comprehensive understanding of all the components drawn from the supply chain will help you identify risks. Consider asking questions like these: “Do we trust the provided software?” “Is the code signed?” “Have our top security officers reviewed the Software Bill of Materials (SBOM)?”
   
   
2. Analyze the security practices of your providers
   
   Assess your providers, so you can weed out software that doesn’t adhere to proper “cyber hygiene.” Examine cloud providers and confirm the presence of security measures that protect against threats.
   
   
3. Keep everything up to date
   
   If an equipment supplier goes bankrupt or closes, replace that component immediately. Software that isn’t properly maintained or has become outdated opens your entire build to risk.
   
   
4. Change your policies and practices to risk-first
   
   Too often, security measures sit only in certain parts of the build. By adopting a risk-first approach, you protect the entire software development lifecycle.
   
   
5. Collaborate within your organization
   
   It’s not enough to hold a map of your full software supply chain. You also need to know how components of the chain affect other parts of the business. These can be just as big a a risk factor. Work closely with other departments, especially engineering, to know exactly what’s entering and exiting your corporate ecosystem. 

Successful compliance is tied to visibility and automation

As organizations look to meet these new SEC compliance rules, they may encounter additional burdens when it comes to protecting software. Internal policies and best practices will help teams know what’s expected, but when it comes to the daily effort to combat software supply chain vulnerabilities, automated tools for scanning, visibility, and signing—along with the right kind of SBOM—will likely draw the line between manageable compliance and taxing risks for companies. 

When you’re looking to plot a path forward, focus on three steps: 

1. Make sure you understand the new SEC rules. 
2. Set policies and procedures to meet compliance. 
3. Deploy the right tools to protect your data.