The potential danger and frequency of data breaches have increased exponentially over the past few years. According to the Identity Theft Resource Center, the number of recorded data breaches in 2021 is up more than 68% compared to 2020 and 23% over the previous all-time high set in 2017.

Why has this trend continued to grow? While there are a variety of factors, one challenge that has no doubt contributed to the situation is cyber literacy. There are various frameworks and approaches used for cyber risk management across organizations, but they don’t all necessarily use common language that would allow companies to measure, evaluate and communicate the overall effectiveness of their risk management programs.  Further, until recently, there has been no mechanism for an organization to prove to business leaders and key stakeholders that its cybersecurity risk management practices are appropriate and sufficient. To address these issues, the AICPA released a new cybersecurity risk management reporting framework in April of 2017, known as SOC for Cybersecurity.

Since its release, this framework has been a popular topic of discussion throughout various industries, and especially among CPAs and IT professionals, and has been used by numerous organizations to evaluate and validate their cybersecurity control posture.

Before we delve into the details of the SOC for Cybersecurity, it’s worth noting that many organizations will already be familiar with another AICPA SOC reporting framework and process, the SOC 2.  Any introduction of SOC for Cybersecurity should start with an explanation of the differences between a SOC 2 and a SOC for Cybersecurity.

Key Differences Between SOC 2 and SOC for Cybersecurity

SOC for Cybersecurity does overlap with SOC 2 reports, but they each have different purposes, so it’s important to know and understand each. Here are the primary ways these examination reports differ:

The Scope and Intended Audience of the Report

SOC for Cybersecurity addresses an entity’s cybersecurity risk management program (typically at the enterprise level) and is intended for stakeholders interested in an assurance that an entity’s risk management program is designed and operated effectively.

A SOC 2 report is for organizations that provide one or more IT-related services to customers (as a service provider) and is intended to provide those customers with information on the relevant controls at the service organization that is associated with the service.

The Controls Baseline Used for Evaluation

The baseline against which an entity is assessed in SOC for Cybersecurity is the Description Criteria, which is a set of benchmarks to be used when preparing and evaluating the presentation of a description of the entity’s cybersecurity risk management program.

The baseline against which a service organization is assessed in a SOC 2 report is one or more Trust Services Criteria, a set of control criteria for use in attestation or consulting engagements to evaluate and report on controls over information and systems utilized in the services provided.

An organization pursuing a SOC for Cybersecurity may utilize the Trust Services Criteria when designing or assessing its control requirements. However, the Description Criteria must be met and addressed in management’s description.  A company may also utilize other security frameworks outside of the AICPA’s Trust Service Criteria as the basis for its cybersecurity risk management program, such as NIST 800-53 or ISO 27001/2.

The Report User & Purpose

The intended user for each report is quite different as the reports serve different purposes and audiences.

SOC 2

SOC 2 reports are restricted use reports intended for people with sufficient knowledge and understanding of the service organization and its system. Often this includes customers who desire assurance that the platform they are using is operated by a set of sufficiently functioning security controls. As a general rule, SOC 2 reports can only be shared with customers of the service organization.

SOC for Cybersecurity

SOC for Cybersecurity reports are general use reports, and the objectives of the report are often determined by company management. These reports are meant for a broader audience than SOC 2 reports and typically are delivered to those who might be impacted by or interested in an entity’s cybersecurity risk management program. Interested parties want confirmation that the company’s cybersecurity efforts are adequately reducing cybersecurity risk. Those who fall into this group include managers, analysts, investors and even customers. A SOC for Cybersecurity report can be shared with anyone inside or outside an organization, at that organization’s discretion.

Treatment of a Subservice Organization

A “subservice” organization is a third-party that is providing one or more capabilities to the entity being assessed that fall within the control scope and/or evaluation criteria for the particular assessment.  As such, that third party’s services can have a significant impact on the environment that is being assessed.

SOC 2

In a SOC 2 report, service organizations can either include or carve out a subservice vendor from the scope of the report.

SOC for Cybersecurity

Organizations are responsible for all controls within the risk management program, which means that if an entity is utilizing third parties for controls within its program, the entity must include that third party (and the associated controls) in the scope of its evaluation.

Controls Matrix in the Report

SOC 2

In a SOC 2 report, the full trust services criteria and list of controls mapped to these criteria are included in the report along with the CPA’s test of controls and results.

SOC for Cybersecurity

In a SOC for Cybersecurity, the controls matrix will not be included in the report.  While management’s description of its cybersecurity program is included, as well as management’s assertion and the CPA’s opinion on that description, the detailed cybersecurity controls and the results of the test of each control will not be included.  Including this type of sensitive information about an organization’s control environment could be detrimental to an organization’s security posture, and could provide an attacker with useful information for leveraging an attack. Therefore, those details are not included in the report.

Should You Switch from SOC 2 to SOC for Cybersecurity?

There is a market need for both of the SOC reports discussed herein, as they are intended for different audiences.  Which report you choose ultimately depends on the demands of your customers and key stakeholders, as well as your objectives. In many cases, organizations that conduct a SOC 2 engagement might also invest in a SOC for Cybersecurity report, because it evaluates the organization at the entity level and provides a broader level of assurance and confidence for key stakeholders in a world that’s getting scarier each day.

A SOC for Cybersecurity typically results in an overall analysis and assessment of the cybersecurity controls posture of an organization.  This information is often also represented in a cybersecurity risk assessment.  But there are key differences between these two types of reports that should be considered when determining which option is best for your organization.

What’s the Difference between SOC for Cybersecurity & Risk Assessments?

Cybersecurity has become an increasingly important priority for almost every major corporation, hospital, financial institution, law firm, and retailer in today’s world. As a result, numerous risk management frameworks have been created to help ensure organizations are properly managing their cybersecurity risks. However, while understanding an entity’s compliance with regulations such as the HIPAA Security Rule and Payment Card Industry Data Security Standard (PCI DSS) has become common practice for many business leaders, the idea of proper cybersecurity risk management hasn’t been as intuitive for non-technical stakeholders, such as board members, directors, analysts, and investors.

While implementing cybersecurity controls to meet a compliance threshold is important, attaining compliance with a regulation does not necessarily mean that an entity is sufficiently secure. In fact, “sufficient cyber security” is a subjective measure that typically depends on many factors, including an entity’s industry, the type of data it processes, as well as its financial condition. All these factors could impact the amount of cybersecurity risk that an executive team is willing to accept. The fact that the cybersecurity risk tolerance will be different for each organization makes evaluating the organization’s cybersecurity posture difficult. It’s even more difficult for business stakeholders that are not cybersecurity mavens.

As the conversation around SOC for Cybersecurity has grown, many of our clients and potential partners have asked how it differs from the current risk assessment analysis process that many entities undergo on an annual basis. The primary difference is that a risk assessment is an evaluation of an organization’s exposure against a specific set of threats, whereas SOC for Cybersecurity is an independent opinion on an entity’s entire risk management program practices (which includes its risk assessment process).

A risk assessment can help an entity identify specific cybersecurity risks to the company, by focusing on the effectiveness of controls that reduce the likelihood that a specific threat will be realized. A risk assessment is not a formal opinion report—it is a prioritized list of threats and remediation actions. SOC for Cybersecurity is a comprehensive analysis that evaluates an entity’s risk assessment process and its governance activities, along with its overall cybersecurity objectives, communications, and control processes. The SOC for Cybersecurity report culminates in an assertion made by management regarding its cybersecurity risk management program practices, and an accompanying opinion, issued by a CPA firm with qualified cybersecurity experts, that lends credibility to management’s assertions.

Could Your Organization Benefit from a SOC for Cybersecurity Analysis?

Because of LBMC Information Security’s position as a leading national IT security firm, we had the opportunity to work alongside the AICPA to develop the SOC for Cybersecurity framework. While the SOC for Cybersecurity analysis is still voluntary, there have been numerous business leaders who have expressed interest in learning more about how this report can provide greater confidence to their shareholders and to the business executives who want confirmation that the time and money resources that they are committing to cybersecurity is properly addressing cybersecurity risks.

While risk assessments are a necessary part of any cybersecurity risk management program, a SOC for Cybersecurity analysis may become the “Good Housekeeping” seal of approval for many businesses seeking validation of their cybersecurity efforts.

Could your organization benefit from an SOC for Cybersecurity analysis? Connect with our team to learn more.