What Is a SOC Report and How Can I Use it for Vendor Management?
What is a SOC report?
A System and Organizational Controls (SOC) report is the result of a third-party independent audit to determine the status and reliability of internal controls. Put simply, it lets you know if a financial institution has effective risk management controls in place.
A SOC report contains a lot of information, but vendor due diligence requires much more than reviewing a SOC report.
As a vendor management tool, a SOC report offers an initial view into a vendor’s security posture. It lets you know what controls are in place and how much they are tested. A light SOC report doesn’t mean a company has a poor or no security posture. More questions are necessary to assess risk.
What can a SOC report show you?
SOC reports provide a good starting point for you to dig deeper. For example, the SOC might show that a company has an anti-spam solution installed and consider that an effective cyber control. But a quick scan using a security monitoring tool might uncover that it’s still possible to spoof that vendor’s domain and phish your institution.
That’s why it’s important to review other due diligence documentation for vendors, in addition to SOC reports. The Federal Reserve, Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) provide the following examples of due diligence documentation in Conducting Due Diligence on Financial Technology Companies: A Guide for Community Banks, among others:
- Enforcement actions
- Media reports
- Employment policies
- Policies & procedures
- Complaint management policies
- Marketing disclosures
- Incident response policies
- Insurance documents
These documents will allow your institution to conduct a thorough risk assessment that gives you a clear picture of the risks of working with a particular vendor. Failing to undertake research may leave your institution exposed to third-party breaches and other operational risks.
Nothing is a replacement for a SOC report. It has a specific, important purpose: telling you the story of a third-party vendor so you know what other questions to ask and where to dig deeper.
But it’s not everything, so don’t let it be.