How Can Vendor SOC Reports Reduce Third-party Risk?
Vendors and other third-party business partners have caused some big data breaches.
Does this scenario sound familiar? You are searching for a new vendor. Armed with a vendor due diligence checklist, you came across a promising candidate.
The vendor told you that they have a SOC1 report, so you put the check mark next to “regular security assessment performed” and move on to the next item in the checklist.
You are done, right? Well, not exactly.
According to Verizon’s 2022 Data Breach Investigations Report, 61% of small to medium-sized businesses experienced cyberattacks within the past year, putting not only them but also their business partners with robust security infrastructures at risk.
It’s much easier for hackers to penetrate smaller third-party vendors to get to their larger business partners with strong security controls.
Vendor risk is real. And the value that third-parties bring can quickly be eroded by the associated risks.
How to Reduce Third-party Risk in SOC Reporting
Reducing third-party risk starts with a strategic vender sourcing process with a robust approach to risk management.
In our work with clients going through internal audits and security assessments, we’ve advised them to seek out vendors that go through regular attestation audits for reports such as SOC1 and SOC2.
However, your job doesn’t stop at a checkbox.
Questions to ask to reduce third-party risk:
1. Is it a SOC1 or SOC2 report?
- A SOC1 report evaluates internal controls over financial reporting, while a SOC2 report evaluates an organization’s information system relevant to security, availably, processing integrity, confidentiality and/or privacy.
- A SOC1 report is adequate if you are only interested in assessing the vendor’s internal controls impacting your financial reporting.
- If you are considering a vendor to hold, store or even process your information such as a data center, IT managed service, SaaS vendors, cloud providers, and other technologies, you should look for a vendor with a SOC2 report.
2. Is it a Type I or Type II report?
- Type I reports simply provide a report of controls an organization has put in place as of a point in time. In contrast, Type 2 reports have an audit period (typically six months to a year) and provide evidence of how well an organization operated its controls over a period of time.
- Type I assessments are a good starting point for vendors to reach the ultimate goal of successful Type II assessments. Ultimately, a Type II report will show how those internal controls are actually operating in an organization. Remember, vendors with a Type II report are a definite plus.
How to Address Controls in SOC Reporting
Now that you have determined which report best fits your needs, it’s time to think about controls.
Questions to ask when conducting third-party due diligence:
1. Does the report cover controls in place at the software vendor or just at a data-hosting center?
- Infrastructure for software applications is often hosted at a third-party data center. Therefore, it’s important to make sure that you obtain a SOC report covering both the software vendor and the data center. The report for the software vendor covers controls regarding their people, policies and procedures, and data management in place at the vendor (e.g. user access, change management, operations, etc.).
- The report from the data center will cover physical and environmental (and if applicable, technical) controls in place. If a vendor provides you with a report for the data center only, ask for a report for the vendor. If they don’t have it, be prepared to perform due diligence on the vendor, which will require extra effort, cost, and time.
2. Are all the internal controls that your company requires in place at the vendor?
- Be sure to confirm that the internal controls in place at your organization are also in place at the vendor. The best way to verify this is to map the company’s internal controls to the vendor’s controls included in the report. If there is a gap, look for other controls in the report that may reduce the risk and make sure you identify and address any remaining gaps. In addition, review the exceptions listed in the report if any, and make sure the report shows that the exceptions were addressed by the vendor.
- An often overlooked section of the report is the Complimentary User Entity controls section. This is the list of controls that the vendor has identified as being essential to achieving some of its own controls objectives. If these controls are not properly implemented and operating in your organization, the vendor’s corresponding control objective will fail. For this reason, make sure you map these controls to your internal controls to identify and address any gaps in your control environment.
Ensuring a Safer Technology Environment & Beyond
Your security is as strong as your weakest link.
Monitoring third-party data security and privacy risk requires a strong and effective process for ongoing vendor management that starts long before the contract is signed.
By performing due diligence upfront, you will have a better understanding of your vendor’s security posture and be able to ensure that their controls are at least as strong as yours and meet your security requirements.
Need Cybersecurity Support?
We provide advisory services to help companies of all sizes solve complex challenges and supports a broad range of organizational transformation services, including Cloud Migration, Cybersecurity/IT Risk & Compliance, Enterprise Solutions and Systems Integration.
Vicki Humphrey is a Director in the Cloud Solutions practice at Bridgepoint Consulting. She has over 20 years of experience managing Cybersecurity and IT compliance projects as well as IT strategy and system development projects.