Prepare for Scrutiny of Information Risk Management with SOC for Cybersecurity

August 15, 2018

Businesses today face unprecedented challenges when it comes to protecting sensitive digital information and programs. Unfortunately for many companies, the only feedback they get on the effectiveness of their information risk management systems comes after some form of cyber event, such as ransomware, data loss, a fraudulent wire transfer, or a system outage.

The challenge for the typical business is the lack of a simple and pragmatic means of knowing what should be done to manage cyber risks and what gaps exist.

The AICPA is addressing this need with a new framework and associated optional report as part of the System and Organization Control (SOC) reporting family. This new SOC for Cybersecurity structure can be used by virtually any business to assess whether they have appropriate risk management practices for their business.  Like other SOC options, the business could also obtain reporting they could use to demonstrate their cyber risk management practices to external stakeholders.

Businesses may have some familiarity with an alternative SOC report, the SOC 2, which is a reporting structure used by technology service providers to report status of their internal controls to users of their service. Like SOC 2, SOC for Cybersecurity provides an independent, objective review of a business’ information risk management framework.

One of the key differences between the two is that the scope of SOC 2 reporting is on the systems and processes used to provision services; the scope of a SOC for Cybersecurity report is enterprise-wide cybersecurity. Below, we summarize some key distinctions between SOC 2 and SOC for Cybersecurity that businesses should understand.

Report Applies to Purpose Scope Report users
SOC 2 Service organizations (e.g., cloud service providers, business process outsourcers, etc.) Provide specified users with information about controls at the service organization to support those users’ evaluation of their own systems of internal control A defined system that the service organization uses to process user data The service organization and specified parties such as users and business partners
SOC for Cybersecurity Any company To provide users with information about an entity’s cybersecurity risk management program, which they can use to make informed decisions Enterprise-wide cybersecurity program Management, directors, analysts, investors and other business partners who are concerned about the effectiveness of the entity’s cybersecurity risk management program

Internal Peace of Mind, External Validation

Based on newly revised Trust Services Criteria (“TSC” or “the criteria”), the SOC for Cybersecurity report provides objective measurement of an organization’s risk management framework to help a variety of key stakeholders understand how the business’ efforts measure up to certain standards in this area.

Companies seeking to pass a SOC for Cybersecurity examination must demonstrate that existing controls meet the criteria as applicable and scaled to their business risk management needs. But even if a company doesn’t need a formal SOC for Cyber report, chances are they can still gain valuable insights about the pragmatic actions they can take to improve their cyber posture by assessing their existing practices against the TSC.

Businesses that do follow through to complete the examination process get a report on their systems that details for management, directors and external stakeholders the critical aspects of the systems that protect the company’s digital assets. In addition, businesses get access to a logo that can be used on websites and marketing materials to indicate that their systems have met the criteria.

Meaningful Insights, Broad Applicability

The criteria and the examination process deliver an unbiased assessment of an enterprise’s information risk management systems. They offer insights on how aspects of the information risk management program meets or exceeds industry standards, and they provide a roadmap to help shore up at-risk systems before weaknesses can be exploited by outside actors.

The criteria align with COSO Internal Control—Integrated  Framework (2013), which was developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) to provide executives with guidance on how to design and implement effective internal controls to achieve their operational, reporting and compliance objectives. The criteria for a SOC for Cybersecurity report align closely with the COSO framework’s 17 principles, many of which have come to be considered foundational to public company financial controls. The criteria are organized according to its five components:

  • Control environment,
  • Communication and information,
  • Risk assessment,
  • Monitoring activities, and
  • Control activities.

Several of the criteria delve more deeply into cybersecurity risks, particularly in the areas of:

  • Logical and physical access controls,
  • System operations,
  • Change management, and
  • Risk mitigation.

The alignment of the criteria with the time-tested COSO standards, which shine a bright light on governance of information risk management, helps the SOC for Cybersecurity report deliver insights that provide meaningful leverage for change within an organization while integrating smoothly with other enterprise-wide information risk management efforts.

Please contact Aprio to discuss how the new SOC for Cybersecurity preparation and exam process could increase the effectiveness of your business’ risk management and the value that your customers and investors place on your business.

For questions or more information, contact Dan Schroeder.