Loading...

AN IMPORTANT DEADLINE ON THE 15th CONCERNING SOC 2 AUDIT CHANGES

Most Americans are aware of April 15th, the traditional date for filing taxes in the U.S.  If you are a privately owned technology service provider that manages and stores personal data, then there is another deadline that falls on the 15th that should concern you.  Starting December 15, all companies that currently undergo SOC 2 examinations must comply with the new guidance and Trust Services Criteria that was established in the 2017 amendment.  The changes are a result of mapping SOC 2 controls to the 17 principles of the widely adapted internal control framework created by the Committee of Sponsoring Organizations (COSO).  Until December 15th, companies can selectively choose either the 2016 or 2017 criteria.  For those unfamiliar with SOC reporting, this may all sound confusing and complicated.  You may also wonder how this is at all relevant to you?

WHAT IS SOC 2?

SOC used to stand for Service Organization Control but is now known as System and Organization Controls.  SOC is a compliancy audit that focuses on the internal controls used by an organization to secure personal data.  There are actually several versions of SOC compliancy.  SOC 1 targets organizations that host financial information for instance.  Organizations that require SOC 1 compliancy include loan servicing companies, payroll or medical claims processors and SaaS companies or datacenter companies who host financial data for their clients.  SOC 2 applies to technology-based service organizations that store customer data and was developed by the American Institute of Certified Public Accountants (AICPA).  

WHY WAS THE SOC 2 REPORT CREATED?

The widespread growth of cloud computing and business outsourcing has substantiated the need for SOC 2 reporting.  Companies such as SaaS vendors are responsible for the security concerning their provided services. SOC 2 helps security conscious businesses discern whether a service provider has the necessary controls implemented to securely manage their data and protect the interests of all of those involved.   An SOC 2 certification is issued by an outside auditor who assesses the extent to which a service provider complies with the stated Trust Services Criteria through an auditing process. SOC 2 is driven by three factors: assurance, reputation and liability.  An SOC 2 audit addresses the third-party risk concerns of a chosen service provider by carefully evaluating its internal controls, policies and procedures involving data protection for its clients and partners.

Assurance is critical in today’s business environment in which a single data breach can cripple operations and credibility for even the largest of corporations.  While the news stories predominantly report on cyberattacks involving the largest corporate names, the fact is that 61 percent of breaches hit smaller businesses last year according to the 2018 Verizon Data Breach Investigation Report.  This is an increase from 55 percent the year prior.  While 82 percent of small business owners don't consider themselves a target for a cyberattack, the risks are real, and expensive.  Cyberattacks cost small businesses between $84,000 and $148,000 a year.  Now factor in the cost of liability and litigation, and it is not wonder why 60% of small businesses go out of business within six months of an attack. 

Just as damaging is the cost to a business’s reputation.  A business is only as good as its reputation, something that takes years to cultivate as a brand to its customers, yet can be tarnished by a single data breach.  Businesses need to protect their brand and status.  This is why it is so important to evaluate third parties and establish confidence in them when it comes to your data.  Unfortunately, according to a recent global survey, 32 percent of business professional involved in third party management do not evaluate third parties at all before engaging them.  The good news however is that more than two-thirds do, with 90 percent reporting that their key aim concerning third party evaluation is to protect their organization from risk and damage.  The ability to comply with laws and regulations was second (82 percent).   For a business seeking a SaaS provider, SOC 2 compliance can be considered as a minimal requirement of evaluation.  For an organization who obtains SOC 2 compliance, it provides a level of assurance to your customers that you have the processes in place to protect, monitor and react to suspicious activity or discovered threats.  Not only does it serve as a declaration of confidence for existing and potential customers, but can serve as a strategic advantage that establishes your credibility in an ever growing competitive market.  A SOC 2 audit establishes confidence in the minds of your customers that they can trust you with their sensitive data and brings added value to your reputation and marketing initiatives.  

Every company today should have a proactive risk management process that includes a risk analysis and assessment.  The SOC 2 audit can help in these endeavors as it requires you to develop security policies and procedures that focus on five Key Trust Principles.  

1. Security – This entails the confirmation of policies, procedures, access controls and security tools and how they are utilized to protect the organization from unauthorized access and respond to security breaches.
2. Availability – Refers to the accessibility of the system as stipulated by contract or SLA’s, involving such items as the monitoring network performance and redundancy.
3. Process Integrity – Concerns the validity, accuracy and timeliness of systems processing and it correlates to stated organizational objectives.
4. Confidentiality – Involves the safeguarding of data and assurance that its access and disclosure is restricted only to authorized personnel.  Access controls should include encryption and firewalls.
5. Privacy – Addresses the policies and practices concerning the collection, use, retention and disposal of personal information.  System processing should be complete, valid, accurate, timely, and authorized to meet organizational objectives.

The changes reflected in the 2017 amendment that takes effect on December 15th emphasize the need for more transparency concerning service commitments and system requirements to customers and business partners.  One example of this change is the is the mandatory disclosure of incidents during an auditing period.

Risk management is an ongoing process that starts at the top of your organization.  It is a dynamic process that incorporates moving targets as technology and threats evolve at exponential rates.  With an ever-increasing emphasis and concern about cybersecurity, SOC 2 reporting will become even more recognized as an established procedure to corroborate the preventive security practices and strategies of a company.  This of course requires you to have your policies and procedures documented and well thought.  If not, you should consult with an information security company that has experience in the advisement and formulation of risk management strategies, the designation of access controls and the written process of policy and procedure documentation.  For those who already have the necessary structure, a readiness assessment can help determine your preparedness for a SOC audit.  Consider it a dress rehearsal for the real thing, allowing you to address any issues that may negatively affect your official audit.  

Develop and implement your security strategy by leveraging the Duty of Care Risk Analysis Standard to ensure you have a balanced approach for your compliance requirements, security obligations, and business objectives.