Verify Third-Party Security: The Role of SOC 2 Reports
Outsourcing portions of your business to third-party vendors using the cloud and the Internet create great efficiencies for businesses, but they also introduce tremendous challenges. Information that’s stored in the cloud, information stored at a third-party location, and information in transit can put both organizations and their customers at risk.
In a recent study, 49 percent of companies confirmed that their organizations had experienced a data breach caused by one of their vendors. More worrisome? Sixteen percent weren’t sure!
Organizations and industries with customers who depend on obtaining services from them via the Internet or cloud-based services accept some level of risk to their data. The degree of risk organizations are willing to live with has started to increase, particularly in the face of an entirely unique set of cybersecurity risks. Specifically, it can be difficult to detect, mitigate, and minimize the risks associated with third parties having access to sensitive or confidential information.
As a result, some industries—namely, financial institutions, health care providers, and e‑commerce companies—are being required by their regulators to have a cybersecurity strategy that includes vendor management and security assurance. Unfortunately, threats to an organization’s data are not limited to those regulated industries. Without a sound internal control environment to rely on, many organizations are facing unnecessary risks to their data that is managed, stored, and processed by third-party vendors.
All organizations—regardless of size, industry, and complexity—need to have a cybersecurity strategy. All organizations have data that is valuable and would be desired by a cyber thief. And the security of your data is only as good as the security of those who have access to it.
Therefore, organizations should require that any selected third-party provider meet baseline requirements for security and privacy. Here are some fundamental ways to pursue assurance:
- Review service level agreements. You’ll want to ensure agreements cover the gamut of data security measures, incident response plans (including breaches), business continuity, and recovery activities.
- Go beyond the contractual agreement. Conduct audits and assessments to evaluate the vendor’s security and privacy practices.
- Ask about their security measures. Inquire about the kinds and frequency of security tests your vendor undergoes (vulnerability assessments, penetration testing, social engineering testing, business continuity plans and testing, etc.). Ask about the findings, along with the steps taken to address any weaknesses.
- Require independent attestation of their cybersecurity program. The American Institute of Certified Public Accountants (AICPA) offers a framework for evaluating business- and technology-related controls and other safeguards employed by third-party vendors, including cloud service providers, and any business associates that provide Internet services which customers use to initiate, process, report, and manage their data.
Specifically, the AICPA’s SOC 2® reports are intended to meet the needs of a broad range of users who need information and assurance about the controls designed and implemented at third-party vendors (referred to as service organizations) related to security, confidentiality, availability, processing integrity, and privacy—the five Trust Services Principles (TSP). The definition of each principle covers the following:
The purpose and intent of the SOC 2 audit are for a qualified, independent CPA firm to test the controls related to one or a combination of the TSP to determine whether they are properly designed and operating effectively.
- Security – The system is protected against unauthorized access (both physical and logical).
- Confidentiality – Information designated as confidential is protected as committed or agreed.
- Availability – The system is available for operation and use as committed or agreed.
- Processing integrity – System processing is complete, accurate, timely, and authorized.
- Privacy – Personal information is collected, used, retained, disclosed, and disposed of appropriately.
- Monitor their security and privacy practices. It is still your organization’s responsibility to ensure the adequacy of your vendor’s practices. It’s imperative that you review, assess, and check those practices randomly and regularly.
Ask yourself this question: After spending a significant amount of time performing due diligence with any third-party vendor to craft a sound contract or service level agreement, why wouldn’t we want to know whether that vendor is fulfilling the terms of the contract? Don’t you owe that to yourself and your customers?
 Ponemon Institute Research Report, April 2016
Partner In Charge, Risk Advisory Services