The potential danger and frequency of data breaches have increased exponentially over the past few years. According to the Identity Theft Resource Center, the number of recorded data breaches grew steadily from 2011 to 2016, reaching an all-time high record of 1,093 reported last year.
Why has this trend continued to grow? While there are a variety of factors, one challenge that has no doubt contributed to the situation is cyber literacy. There are various frameworks and approaches used for cyber risk management across organizations, all with no common language that would allow companies to measure, evaluate and communicate the overall effectiveness of their risk management programs. Further, there has been no mechanism for an organization to prove to business leaders and key stakeholders that its cybersecurity risk management practices are appropriate and sufficient. To address these issues, the AICPA released a new cybersecurity risk management reporting framework in April of 2017, known as SOC for Cybersecurity.
Ever since a draft version was published for comment and feedback by the AICPA in 2016, SOC for Cybersecurity has been a popular topic of discussion throughout various industries, and especially among CPAs and IT professionals. SOC for Cybersecurity does overlap with SOC 2 reports, but they each have different purposes, so it’s important to know and understand each.
Key Differences Between SOC 2 and SOC for Cybersecurity
While there are some similarities between a SOC 2 report and the new SOC for Cybersecurity reports, here are the primary ways these examination reports differ:
The Scope and Intended Audience of the Report
SOC for Cybersecurity addresses an entity’s cybersecurity risk management program (typically at the enterprise level) and is intended for stakeholders interested in an assurance that an entity’s risk management program is designed and operated effectively.
A SOC 2 report is for organizations that provide one or more IT-related services to customers (as a service provider) and is intended to provide those customers with information on the relevant controls at the service organization that is associated with the service.
The Controls Baseline Used for Evaluation
The baseline against which an entity is assessed in SOC for Cybersecurity is the Description Criteria, which is a set of benchmarks to be used when preparing and evaluating the presentation of a description of the entity’s cybersecurity risk management program.
The baseline against which a service organization is assessed in a SOC 2 report is one or more Trust Services Criteria, a set of control criteria for use in attestation or consulting engagements to evaluate and report on controls over information and systems utilized in the services provided.
An organization pursuing a SOC for Cybersecurity may utilize the Trust Services Criteria when designing or assessing its control requirements. However, the Description Criteria must be met and addressed in management’s description. A company may also utilize other security frameworks outside of the AICPA’s Trust Service Criteria as the basis for its cybersecurity risk management program, such as NIST 800-53 or ISO 27001/2.
The Report User & Purpose
The intended user for each report is quite different as the reports serve different purposes and audiences.
SOC 2—SOC 2 reports are restricted use reports intended for people with sufficient knowledge and understanding of the service organization and its system. Often this includes customers who desire assurance that the platform they are using is operated by a set of sufficiently functioning security controls. As a general rule, SOC 2 reports can only be shared with customers of the service organization.
SOC for Cybersecurity—SOC for Cybersecurity reports are general use reports, and the objectives of the report are often determined by company management. These reports are meant for a broader audience than SOC 2 reports and typically are delivered to those who might be impacted by or interested in an entity’s cybersecurity risk management program. Interested parties want confirmation that the company’s cybersecurity efforts are adequately reducing cybersecurity risk. Those who fall into this group include managers, analysts, investors and even customers. A SOC for Cybersecurity report can be shared with anyone inside or outside an organization, at that organization’s discretion.
Treatment of a Subservice Organization
A “subservice” organization is a third-party that is providing one or more capabilities to the entity being assessed that fall within the control scope and/or evaluation criteria for the particular assessment. As such, that third party’s services can have a significant impact on the environment that is being assessed.
SOC 2—In a SOC 2 report, service organizations can either include or carve out a subservice vendor from the scope of the report.
SOC for Cybersecurity—Organizations are responsible for all controls within the risk management program, which means that if an entity is utilizing third parties for controls within its program, the entity must include that third party (and the associated controls) in the scope of its evaluation.
Controls Matrix in the Report
SOC 2—In a SOC 2 report, the full trust services criteria and list of controls mapped to these criteria are included in the report along with the CPA’s test of controls and results.
SOC for Cybersecurity—In a SOC for Cybersecurity, the controls matrix will not be included in the report. While management’s description of its cybersecurity program is included, as well as management’s assertion and the CPA’s opinion on that description, the detailed cybersecurity controls and the results of the test of each control will not be included. Including this type of sensitive information about an organization’s control environment could be detrimental to an organization’s security posture, and could provide an attacker with useful information for leveraging an attack. Therefore, those details are not included in the report.
Should You Switch from SOC 2 to SOC for Cybersecurity?
There is a market need for both of the SOC reports discussed herein, as they are intended for different audiences. Which report you choose ultimately depends on the demands of your customers and key stakeholders, as well as your objectives. In many cases, organizations that conduct a SOC 2 engagement might also invest in a SOC for Cybersecurity report, because it evaluates the organization at the entity level and provides a broader level of assurance and confidence for key stakeholders in a world that’s getting scarier each day.
Have more questions about SOC for Cybersecurity or how you could benefit from this comprehensive report? Connect with our team today.