Third-Party Vendor Cybersecurity Risk and SOC 2+ Reports
Service Organization Control (SOC) 2+ reports are a valuable tool for organizations evaluating the cybersecurity risk of their third-party vendors. Organizations frequently outsource key functions to service organizations (or vendors) that provide specialized business-process outsourcing services. As a result, organizations typically share sensitive data – such as financial transactions, customer lists, and patient records – with their vendors and expect them to treat the shared information securely and confidentially.
Organizations expect that their vendors have implemented appropriate controls related to cybersecurity. However, in a 2014 survey of midsize-business owners and C-level executives by The Hartford, 13 percent of the respondents indicated that they have had a supplier’s data breach affect their business information.
In order to properly evaluate cybersecurity risk, organizations must include an evaluation of their vendors in their risk assessment. The third-party risk management activities an organization chooses to perform for each vendor should be based on the risks associated with the vendor. Service organizations are frequently asked to provide evidence of having implemented proper controls to protect their customer data.
A common method of providing information about a service organization’s control environment is with a SOC report issued by an independent CPA firm. A SOC 2+ report is one type of SOC report that service organizations can provide to a user organization. The SOC 2+ report evolved from the industry accepted and trusted SOC 2 report.
Advantages of SOC 2+ Reports
A recent news release from the American Institute of Certified Public Accountants (AICPA) discusses the use of a SOC 2+ report to provide end users with information about the design and operating effectiveness of controls related to the Health Information Trust Alliance (HITRUST) Common Security Framework (CSF) requirements and the AICPA’s Trust Services Principles – security, availability, processing integrity, confidentiality, and privacy. A SOC 2+ report allows a service organization to report on not only the AICPA’s Trust Services Principles but also on another applicable control framework, a bonus for service organizations that want to demonstrate compliance with another control framework.
Service organizations often are required to demonstrate compliance with different control frameworks based on the industry in which they operate. A SOC 2+ report can be a valuable tool for service organizations to demonstrate their implemented controls for particular frameworks. For example, service organizations may need to demonstrate that they have implemented controls related to one of the following frameworks:
- National Institute of Standards and Technology (NIST) Cybersecurity Framework
- Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)
- HITRUST CSF
- COBIT 5
- Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2013 Framework
- International Organization for Standardization (ISO) 27001
In general, these control frameworks can be mapped to the AICPA’s Trust Services Principles, allowing the design and operating effectiveness of framework-related controls to be represented in a SOC 2+ report.
In order to demonstrate how it has implemented cybersecurity controls, a service organization can provide a SOC 2+ report covering the NIST Cybersecurity Framework and the AICPA’s Trust Services Principles. The content of the report includes the service auditor’s opinion, a management assertion related to controls, a detailed description of controls implemented by the service organization, and a detailed description of the service auditor’s tests of controls and results related to the NIST Cybersecurity Framework and the selected Trust Services Principles. SOC reports are considered a reliable resource for user organizations to evaluate a vendor’s controls because:
- The report is issued by an independent CPA firm.
- CPAs are required to comply with a code of ethics.
- CPAs are required to complete annual training requirements.
- CPAs are required to have appropriate training and understanding of the subject matter area they are examining.
- CPA firms are required to undergo internal and external quality reviews related to their work product.
- SOC reports can be compared to one another to evaluate multiple vendors.
When an organization outsources services to a vendor, the vendor’s control environment effectively becomes part of the organization’s control environment. Therefore, evaluating the controls of each service provider being used is an important component of managing cybersecurity risk. SOC 2+ reports provide a trusted and effective method to evaluate a vendor’s controls.