Insights - Articles, Blogs and on-demand webcasts

Articles & E-Books


SOC for Cybersecurity: Let Your Stakeholders Know You’re Ready for the Threats

Aug 23, 2017

Imagine reading this in the news:  YOUR ORGANIZATION’S NAME today announced it was a victim of a cyber-attack that resulted in a data breach compromising 5,000 customer records and taking the organization’s systems offline for 72 hours, crippling its operations.

Now imagine reading this instead:  YOUR ORGANIZATION’S NAME today announced that it has undergone a System and Organization Controls (SOC) examination resulting in a CPA’s report stating that it has maintained effective controls over the security of its system and data. 

It’s not hard to decide which news you’d welcome more. Why not ensure that good news with a SOC for cybersecurity report from a qualified CPA firm?

Cybersecurity Threats Are Soaring

Threats and attacks are disrupting business operations and unnerving boards of directors, managers, customers, investors, and other stakeholders in organizations of all sizes, both public and private. In fact, cyber hackers have gone well beyond targeting just large Fortune 500 companies.

Hackers have become “equal opportunity offenders,” identifying organizations of all sizes and across all industries as potential targets. That includes small businesses, manufacturers, health care providers, financial institutions, nonprofit organizations, and more—all are targets, and all have something of value.  

For instance, valuable information can include employee lists, bank account/credit card information, medical records, insurance information, supplier lists and pricing, customer lists, vendor lists, donor lists, trade secrets/formulas, intellectual property, and so on. All of it has some value to attackers. Like what for instance?

  • Financial institutions/financial services companies possess nonpublic data on their account holders, including names, dates of birth, social security numbers, account names and numbers, beneficiaries, policy amounts, investment account balances, and holdings.
  • Health care organizations such as hospitals, physician practices, and dentists hold medical records, credit card information, insurance company information, prescription information, family names, health care power of attorney documents, and employee records that include compensation information.
  • Manufacturers have information on employees, including payroll data, dates of birth, addresses, family information, and benefit information. They also have supplier lists and pricing, strategic plans, product R&D documentation, customer lists, and bank account information.
  • Nonprofit organizations hold nonpublic information on the users of their services, as well as donor lists, contribution levels, and sometimes credit card information.

The reality is that no organization is immune from cyber threats, and it is very likely that an attack will happen to yours. Your organization must ensure it is protecting its client and customer information. If not properly prepared, the costs to repair reputational damage and become operational in a very short time frame are significant.

What’s more, your organization is likely under increasing pressure to demonstrate that it is indeed managing cybersecurity threats and that it has effective processes and controls in place to detect, respond to, mitigate, and recover from breaches and other security events. Can it?

Protect and Assure With a SOC Cybersecurity Exam and Report From a CPA

Managing a comprehensive cybersecurity program is essential to minimizing the impact of a cyber-attack or data loss. Yet even with a sound program firmly in place, how do you know it’s actually effective? And how can you reassure your stakeholders, customers, patients, and the public that you’re doing everything right?

To address the market need for such assurances, the American Institute of Certified Public Accountants (AICPA) has developed a reporting framework as a key component of a new SOC for Cybersecurity.

SOC for Cybersecurity is a market-driven, flexible, and voluntary reporting framework to help organizations communicate about their cybersecurity risk management program and the effectiveness of controls within that program. It uses a common, underlying language for cybersecurity risk management reporting to enable all organizations—in all industries—to communicate relevant information about their cybersecurity risk management programs.

Through the engagement, a qualified CPA firm uses the AICPA guidance to assess the adequacy of your organization's cyber program. CPAs with a specialization in information technology can further help you address cybersecurity concerns by identifying potential internal risks and offering proactive steps to safeguard valuable client and customer information. 

At the conclusion of the engagement, the CPA firm will issue a report on your organization’s enterprise-wide cybersecurity risk management program. This information can help senior management, boards of directors, analysts, investors, and business partners gain a better understanding of your organization’s efforts. But it can also be shared with customers, suppliers, stakeholders, and other interested parties, giving them the assurances they deserve.

Increase Your Confidence…and Theirs

There’s no better way to validate your cybersecurity efforts than with an independent SOC for Cybersecurity exam, and there’s no better way to easily communicate it to all your audiences than with a SOC for Cybersecurity report from an experienced CPA firm.


Robert D. Cedergren, CPA, CGMA, CITP, CISM, CISA, CGEIT
Partner In Charge, Risk Advisory Services
View Profile
Torpey White, CPA, CITP, CISA, CGMA
View Profile
It's No Longer a Question of "If," It's a Question of "When"

Protect, detect, respond, and recover with Wipfli Cybersecurity Services.