By Steve Fontaine
It’s been in the news everywhere. Cyberattacks targeting some of the United States’ most critical systems, infrastructures and their supply chains coupled with extreme demands of ransomware. If you found yourself in an hours long line for expensive gas last month, then you’ve probably familiar with the huge damage that ransomware attacks can do.
Cybersecurity may be the most dangerous threat to all businesses worldwide. According to a recent PwC Global CEO survey, nearly half of CEOs cited cybersecurity as their biggest anxiety in 2021, up 33 percent from last year.
Technology based organizations, such as lenders, banks and financial institutions, have good reason for concern. With today’s proliferation of remote working and unparalleled reliance on technology, it’s clear many financial institutions are left vulnerable and unprotected while facing immense risk.
And it doesn’t just affect those immediate entities. Most recently, Deloitte explained, “companies of all sizes routinely rely upon an ecosystem of outsource service providers (OSPs) to carry out a wide array of functions, many of them mission-critical” in their third-party proficiency report. Because this expanded reliance on third party vendors increases risk immensely, it is more important than ever for financial institutions to vet all service providers, ensuring processes and procedures are protected from a potential security breach.
What Should Lenders Do to Protect Themselves?
In this age of cybersecurity and increased reliance on outsourced providers, how can financial institutions remain secure and safe? According to Deloitte, financial institutions should only consider third party vendors that have obtained a System and Organization Control (SOC) Type II report.
Developed by AICPA, SOC 2 is an auditing procedure specifically designed to ensure service providers securely manage customer data. With the increasing use of cloud service platforms, SOC 2 compliance has become a must for technology companies and service providers.
Managed and attested by an independent certified public accountant, the SOC 2 process measures the integrity of IT outsourcing providers in addition to reviewing internal controls for organizational oversight, vendor management, risk management and regulatory oversight for a business. Ultimately, SOC 2 compliance measures a service provider’s formal commitment to data management and security best practices.
Many service providers tout “compliance readiness” based on a “shared responsibility” model, referring to the SOC 2 readiness of their specific cloud providers (e.g. AWS) but not their own organizations. This framework, however, falls short because it lacks the service provider’s oversite and long-term commitment to the SOC 2 Trust Services criteria, policy and procedures, ultimately creating gaps in their business controls and weakening the security blueprint to safeguard their customers’ data.
What is the SOC 2 Process?
As a service provider, a SOC 2 engagement is a lengthy and rigorous exercise requiring months of preparation. The process requires a high amount of coordination and attention to detail, ensuring the SOC 2 attestation is completed correctly.
At Trinity, following are the steps we undertook to complete the SOC 2 audit:
- Scoping - Our compliance department and in-house IT team meticulously answer questions related to the documentation, inventory, personnel, third parties, locations, underlying infrastructure and implemented technical controls within the environment.
- Audit – We then collect and provide evidential documentation within each area of interest, as well as complete an on-site visit from KirkpatrickPrice auditors and weekly update calls. Information collected may include data security rules, review of multiple technology systems, verification of data logs, interviews of team members, and the possible updating of policy.
- Delivery – After the on-site visit, the auditor writes the workpapers and a formal report is created and delivered that discusses Trinity’s environment and how it addresses SOC 2 requirements.
- Wrap-Up – Trinity is presented with a detailed writeup, providing the finalized SOC 2 Type 2 report. Additionally, feedback is provided, and all parties participate in an Executive Briefing call and goals are set for the next audit cycle.
The Value of Service Providers Attaining Their SOC 2
No doubt about it, given the current ongoing cybersecurity issues, SOC 2 compliance is gaining increasing attention and importance. Still, it’s uncommon for many service providers.
The commitment to invest in the SOC 2 Type 2 attestation process creates a number of success factors for both lenders and service providers alike.
- Builds an Elevated Level of Trust – Provides validation that customer data is protected and safe. Because of the formulaic approach necessitated by the SOC 2 structure, the process safeguards client-related information.
- Furthers the Documentation Process – ensuring that processes and procedures are well documented for both internal and external communications, which in turn enables better business practices.
- Improves Overall Security – Mitigates potential attacks while building a strong security process which assists in audit questionnaires as well as helping to automate the procedures (e.g., multi-factor authentication.)
SOC 2 is about putting in place well defined policies, procedures and practices – not just ticking all of the compliance checkboxes. It requires the implementation of long term, ongoing internal best practices that ensures the security of customer information and in turn, the long-term success of your business.
At Trinity, the SOC 2 process is a significant priority as we are now entering our third year of re-attesting our certification. We are fully invested in this strong compliance program because protecting our customers’ most critical assets is not only our job – it our commitment that goes to the very heart of our relationship with each and every client. It is our privilege to do so.