Blog

What Is SOC2 Compliance? And Why Is It Important For Your Vendors?

Does your provider practice SOC2 Controls or are there potential gaps in your security measures?

Does your provider practice SOC 2 controls? What to look out for from a prospective vendor

The amount of data being stored in the cloud is growing all the time. Nine out of ten companies use cloud computing, and the market currently exceeds $330 billion.

However, for all the advantages of cloud computing, it’s not without its challenges. A lot of personal and confidential data is held in cloud storage, making it a tempting option for cybercriminals and hackers. After all, you don’t want to find yourself a victim of a phishing attack, denial of service attack or on lockdown thanks to ransomware. Various Municipals have had to pay $400-$600K ransoms while others that have refused to pay are counting their losses in the millions of dollars.

If you are a municipal utility company or government organization and need to identify vendors to handle your sensitive data, you should be looking for evidence that they can effectively and securely manage your customer data. A 3rd-party audited accreditation like SOC 2 can give you peace of mind that your data will not be at risk.

What is SOC 2?

SOC (Service and Organization Controls) 2 is a security certification that was developed by the American Institute of Certified Public Accountants (AICPA).

The SOC 2 accreditation was launched in 2013. It was initially created for the domestic market but can now be achieved across other parts of the world too. Its primary target audience is companies that store company and customer data in the cloud, such as technology companies and those that sell software as a service (SAAS).

SOC 2 reports may be one of two subtypes. Vendors first obtain a Type 1 report. With this report, auditors examine a vendor’s control catalog and make a determination regarding the ability of the controls, as stated by the vendor, to meet the Trusted Service Criteria (TSC).

By itself, a Type 1 report does not indicate that the vendor’s controls are in place and operating effectively. Vendors must operate those controls over a period of time, commonly six months for first audits and one year for subsequent audits, to obtain their Type 2 report. After this audit period, auditors use a sampling methodology to collect evidence regarding the operation of each control during the period. Auditors then issue a Type 2 report, stating whether they believe the controls operated effectively and noting any exceptions they identified. While it is common for Type 2 reports to contain a few exceptions, it is up to the auditor (and ultimately, the customer and/or “report user”) to determine whether those exceptions are material.

When a vendor has the right processes in place, these processes can be reviewed by external auditors who will see if the company adheres to the trust principles they said they wanted to be marked against. If the vendor passes the audit, they are SOC 2 compliant and will have attestation documentation from the 3rd-party auditor to prove it.

Why working with a SOC 2 compliant vendor is important for your organization

Working with vendors that are SOC 2 accredited is critically important for your organization moving forward. Some of the reasons why include:

• It helps your customers and residents put their trust in you when it comes to giving you sensitive data including social security numbers, credit card, or other customer-specific personally identifiable information (PII)
• It helps keep you compliant with state, federal, and international legislation, particularly as it relates to the safeguard and handling of PII customer data
• It protects you against potential cyber-attacks, saving time and money, as well as preventing negative publicity. For example, cyber-attacks are estimated to take 55 days to contain, so it is better to take a proactive approach and mitigate against them

Government and municipal organizations often are a target for cybercriminals as they offer critical services to vulnerable people and have a potentially wide range of access points that can be exploited.

A SOC 2 vendor can work with you to safeguard against these vulnerabilities.

Questions to ask a prospective vendor

If you are shortlisting companies to work with, you will want to find out more about any security accreditations they have. If they have a robust data protection process in place, they will be more than happy to arrange a meeting with your team to tell you more and better yet, show you their SOC 2 compliance letter issued by a 3rd-party auditor.

Some questions you may want to ask them to include:

1. Do you have SOC 2 accreditation? If so, how long have you had it for? If you don’t, are there any plans to achieve it in the future?
2. If you have SOC 2 accreditation, which key trust services criteria did you focus on?
3. What did you learn from your audit, and what processes have you put into place as a result?
4. How do you monitor server activity for hackers and other suspicious activity?
5. What alerts do you have in place in the event of a security incident and who receives them in the company?
6. How do you track and record cloud server activity so you can refer back to it in case of a security breach?
7. What service level agreements (SLAs) do you have in place to detect and fix issues?
8. Do you have a copy of your SOC2 System Description and Auditor’s Letter of Compliance that we can review?

In summary

While SOC 2 is not a legal requirement for your vendors, it is still something that all levels of government, including utilities, should consider requiring for their cloud service providers.

If you are a municipal government that relies on cloud data, it’s essential that any vendors you use have some kind of qualification. This will show that they are handling your data safely and securely and are taking proactive measures to protect your organization’s needs.

Cybersecurity is becoming more and more critical to organizations across the world. Cybercrime has increased by a staggering 600% in 2020 due to the pandemic, and this figure is growing all the time.

If you are a municipal government or utility company, take the time to review your prospective vendors and see if they are compliant or are working towards compliance.

It could be the difference between staying safe and being at risk of a data breach.

Sources:

• https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/aicpasoc2report.html
• https://www.techrepublic.com/article/local-governments-continue-to-be-the-biggest-target-for-ransomware-attacks/
• https://www.nytimes.com/2019/07/07/us/florida-ransom-hack.html
• https://www.threatstack.com/blog/not-soc-2-compliant-4-reasons-your-customers-wont-work-with-you
• https://www.itgovernance.eu/blog/en/5-common-questions-about-soc-2-compliance
• https://securityboulevard.com/2020/07/what-is-soc2-compliance-how-does-it-affect-your-business/
• https://www.xplenty.com/blog/everything-you-need-to-know-about-soc-2-compliance/