In today’s business climate, companies are realistically asking “when,” not “if” a data breach or other cybersecurity event will occur. To help, the AICPA created a framework that businesses can use to demonstrate they have effective risk management practices in place.
The SOC for Cybersecurity framework provides both structure and transparency into how your company manages cybersecurity risks. By following the guidelines and having a third party assess your risk management program, your business benefit is twofold: 1) leaders get essential information for decision-making, and 2) stakeholders gain more confidence that your cybersecurity program is properly designed.
Why SOC for Cybersecurity?
Cybersecurity threats are growing. In 2019 there were 3,950 confirmed breaches worldwide, based on the Verizon 2020 Data Breach Investigations Report. But there are many, many more security events that happen at smaller businesses you never hear about. Of the confirmed breaches Verizon studied:
- 70% were perpetrated by outsiders
- 55% were by organized crime
- 43% were attacks on web applications (more than double the prior year)
- 86% were financially motivated
- 58% of victims had personal data compromised
- 28% involved small business victims
Cybersecurity consistently ranks among the top risks concerning business leaders, and those concerns are growing as COVID-19 places unprecedented demand on businesses to work remotely without jeopardizing customer security.
Executive management and boards are paying close attention to cybersecurity, for the protection of their customers and their brand. In a B2B environment, customers are increasingly demanding a sophisticated level of due diligence regarding cybersecurity — and even B2C is taking notice.
SOC for Cybersecurity vs SOC 2
Organizations do have a few options to choose from when assessing their security controls. The SOC for Cybersecurity, first introduced in 2017, has some overlap with the SOC 2 assessment. And while that’s led to some confusion in the marketplace, the assessments have several notable differences:
SOC for Cybersecurity provides information about your organization’s cybersecurity risk management program. It can be applied to any kind of organization and can be leveraged as a prescriptive tool your organization can use to be proactive and preventive in terms of managing security risks.
A SOC 2 report, however, is a detailed reporting framework designed to evaluate how a service provider is managing a business partner’s data. As such, the scope is limited to a defined service.
2. Intended audience
SOC for Cybersecurity is designed for a broad range of general users. This report is appropriate for C-suite leaders as well as general stakeholders with an interest in knowing your organization’s risk management program is thorough and well-designed.
The SOC 2 is a detailed audit report that contains sensitive information on your security controls. It’s intended for limited, specialized audiences that need to vet your specific service system.
3. Controls baseline
With SOC for Cybersecurity, you can use a range of underlying frameworks — including TSP, NIST, COBIT, FISMA — as the controls baseline. This makes SOC for Cybersecurity a flexible and adaptive tool that’s easier to incorporate with an existing risk management program.
A SOC 2 report, however, is based exclusively on the five Trust Services Principles (TSP) — a set of criteria defined by the AICPA to manage customer data, specifically security, availability, processing integrity, confidentiality and privacy.
4. Third-party risk
As part of risk management, organizations need to evaluate the “subservice organizations” that are involved in helping deliver the services you provide. Risk to this third party represents risk to your business environment.
In a SOC 2 report, you have to make a determination whether to include a subservice organization in your assessment or whether to carve them out from the scope of the report.
The SOC for Cybersecurity, however, doesn’t allow for the carve-out option. While that means you don’t get to “offload” risk responsibility onto a third party, it also provides you and your stakeholders a more complete, wholistic view of your risk.
5. Sensitive information
Both the SOC for Cybersecurity report and the SOC 2 contain a description of the business or system to be assessed, a written assertion from management, and a CPA opinion on the effectiveness of the relevant controls.
A SOC 2 report, however, also contains the full Trust Services Principles matrix, along with results of the auditor’s tests and controls. As such, the report can contain sensitive information that should only be shared with necessary parties.
Which assessment you choose will depend on the current state of your risk management efforts, your legal obligations, stakeholder demands and your business goals. Some larger organizations may choose both assessments in order to get an overview of cybersecurity risk in the overall organization as well as a targeted, detailed report for a specific service line.
An SOC for Cybersecurity assessment can be done for any organization, regardless of size or industry. As a general-use report intended for management, business partners, customers and other stakeholders, it provides a valuable tool for planning and decision-making.
Both tools demonstrate a commitment to security, but the SOC for Cybersecurity indicates a broader level of assurance that may be valued by key stakeholders.
Wipfli’s role in cybersecurity
Wipfli has a long track record in evaluating security controls and helping organizations shape their risk management programs. Our teams are experienced in enterprise risk management, cybersecurity and audit attestations.
Wipfli conducts SOC examinations, including SOC 1, SOC 2 and SOC Cybersecurity audits, as well as other assessments. We can help you determine the right tool for your needs. For more information and to learn more about how your organization can benefit from risk management support, contact us.
Or continue reading on:
SOC for Cybersecurity: An inside look
My data center has a SOC exam. Do I also need one?
Can SOC audit controls change within the period?