Vendor Due Diligence: Don't Make This SOC 2 Report Mistake

A vendor is more than its data center

You know SOC 2 reports are a great vendor management tool, but are your critical vendors’ SOC 2 reports telling you everything you need to know about how well they protect your data?

Not necessarily. It depends on which report you are getting.

What Is A SOC 2 Report?

How Does A SOC 2 Report Help with Vendor Due Diligence & Vendor Management?

Avoid This Critical SOC 2 Mistake

What If A Critical Vendor Doesn’t Have a SOC 2 Report? 

What Is A SOC 2 Report?

SOC 2 reports (short for Service Organization Control (SOC) 2 reports) summarize results of an independent audit known as an SSAE 18. The SSAE 18, developed by the American Institute of Certified Public Accountants, is the gold standard for auditing how a company manages customer data, including data stored in the cloud. These comprehensive audits are conducted by independent auditors over several months, culminating with an onsite audit to authenticate the effectiveness of policies and controls.

Unlike a SOC 1, which focuses on financials, a SOC 2 is all about compliance. It covers five areas:

1. Security
2. Availability
3. Process Integrity
4. Compliance
5. Confidentiality

SOC 2 reports come in two types.

• Type 1 reports. Tests controls at one specific point in time.
• Type 2 reports. Tests controls repeatedly over a period of time to reveal trends.

Because they cover a longer period of time, SOC 2 Type 2 reports are more useful.

How Does A SOC 2 Report Help with Vendor Due Diligence & Vendor Management?

An SSAE 18 audit covers nearly everything you need to know about how an outside company protects your data—from data security and privacy to business continuity and internal policies and procedures for personnel. It also shows how exceptions are corrected—or aren’t corrected—to determine vendor reliability.

It’s all about risk management. A SOC 2 evaluates internal controls to see how well a company identifies, assesses, mitigates, and monitors risks. From the board to everyday operations, a SOC 2 can give you confidence that your critical vendor is following best practices to protect your data.

This includes:

Risk assessment. A SOC 2 will let you know how effectively a critical third-party vendor is assessing potential threats to your data. From hardware and software to the potential of staff falling for phishing attacks, the SSAE 18 audit can give you confidence that your vendor is actively uncovering potential risks.

Cybersecurity controls. Once risks are identified, controls need to be put in place to mitigate those risks. A SOC 2 will verify the effectiveness of controls.

Internal & external communication. Data security is about more than firewalls and intrusion detection. It also requires strong communication to ensure that software is proactively patched and updated, new threats are identified, and that staff is regularly trained and reminded of security protocols. A SOC 2 lets you know how well your vendor communicates when it comes to these and other critical areas.

Monitoring, prevention & maintenance. Cyber controls are not a “set it and forget it” type of project. They require ongoing cyber monitoring to ensure they continue to perform as designed. A SOC 2 shows you how effectively your vendor monitors its controls. It gives you confidence that controls are more than just empty promises—that they are fully fleshed out and active.

The SSAE 18 also requires written attestation from management that system descriptions are true and complete, providing additional assurance by creating liability and pressure for management.

All of this makes SOC 2 reports an extremely valuable vendor management tool—but only if the SOC 2 reports on your third-party vendor’s entire operation.

Avoid This Critical SOC 2 Mistake

Vendors are happy to give you a SOC 2 report when they have one. An SSAE 18 audit is a major undertaking and companies that choose to go through the audit must be confident in their risk management to make the process worthwhile.

The problem is when a vendor gives you a SOC 2 report for its cloud data center instead of for its company.

Yes, you want to be confident that the data center your critical vendor uses to store your data is safe and secure. That is critical information. But it’s not everything.

A critical vendor is more than just a data center. It’s employees who have access to your sensitive data. It’s a vendor that uses your data to conduct activities on your behalf.

A data center SOC 2 can’t tell you about the actual vendor you’re contracted with. It only covers the actual data center. You still need to engage in due diligence with your third-party vendor to understand:

• How the company is structured. This includes risk governance and oversight. A company can have the most secure data center in the world, but if the company isn’t proactively managing risks internally, data can still be exposed.
• Who has access to your data? Access to your data should be limited and need-based. Employee access should be curtailed when an employee moves on.
• How fourth-party risk is managed. If your vendor outsources to other third-party vendors and shares your information, you’ll want to know how well your vendor is managing that fourth party. You want evidence of good vendor management.
• How the critical vendor uses your data.
• The overall company’s IT systems and controls. It doesn’t matter how secure the data center is if other parts of the company’s IT systems aren’t secure.
• Physical access and controls. Data can still exist on hard drives and in hard copies. How safe are these?
• Incident response and notification. If something goes wrong somewhere in the process, how will the vendor respond? Will they tell you about it? When?
  
  

Read also: 4 Reasons to Add Cyber Monitoring to Your Vendor Management Program

What If A Critical Vendor Doesn’t Have a SOC 2 Report?

Not every vendor is willing to go through the effort of an SSAE 18 audit, but that doesn’t mean they can give you a copy of their vendor’s data center SOC 2 and call it a day.

If a critical or high-risk vendor does not have a SOC report, it’s still necessary to engage in due diligence to address operational risk and ensure data is protected. It requires collecting documentation to review policies related to organizational governance, risk oversight, personnel, information security, vendor management, data and physical security, cyber controls, data privacy standards, and incident response and notification, among other areas.

As a leader in risk and vendor management, Ncontracts recognizes the burden this due diligence work puts on financial institutions. That’s why our company has elected to undergo regular SSAE 18 audits. We want our clients to be confident in our internal operations and demonstrate our commitment to being a partner that is dedicated to rigorous security, compliance, and operational controls.

Ncontracts encourages its financial institution clients to seek out third-party vendors with SSAE 18s for a more transparent and objective view of their compliance controls. We believe in practicing what we preach to give you peace of mind.

Want to learn more about maximizing the value of vendor SOC reports? Download our on-demand webinar How to Leverage SOC and SSAE 18 Reports Throughout Every Department of Your Financial Institution.