By Steve Fontaine
It’s been in the news everywhere. Cyberattacks targeting some of the United States’ most critical systems, infrastructures and their supply chains coupled with extreme demands of ransomware. If you found yourself in an hours long line for expensive gas last month, then you’ve probably familiar with the huge damage that ransomware attacks can do.
Cybersecurity may be the most dangerous threat to all businesses worldwide. According to a recent PwC Global CEO survey, nearly half of CEOs cited cybersecurity as their biggest anxiety in 2021, up 33 percent from last year.
Technology based organizations, such as lenders, banks and financial institutions, have good reason for concern. With today’s proliferation of remote working and unparalleled reliance on technology, it’s clear many financial institutions are left vulnerable and unprotected while facing immense risk.
And it doesn’t just affect those immediate entities. Most recently, Deloitte explained, “companies of all sizes routinely rely upon an ecosystem of outsource service providers (OSPs) to carry out a wide array of functions, many of them mission-critical” in their third-party proficiency report. Because this expanded reliance on third party vendors increases risk immensely, it is more important than ever for financial institutions to vet all service providers, ensuring processes and procedures are protected from a potential security breach.
What Should Lenders Do to Protect Themselves?
In this age of cybersecurity and increased reliance on outsourced providers, how can financial institutions remain secure and safe? According to Deloitte, financial institutions should only consider third party vendors that have obtained a System and Organization Control (SOC) Type II report.
Developed by AICPA, SOC 2 is an auditing procedure specifically designed to ensure service providers securely manage customer data. With the increasing use of cloud service platforms, SOC 2 compliance has become a must for technology companies and service providers.
Managed and attested by an independent certified public accountant, the SOC 2 process measures the integrity of IT outsourcing providers in addition to reviewing internal controls for organizational oversight, vendor management, risk management and regulatory oversight for a business. Ultimately, SOC 2 compliance measures a service provider’s formal commitment to data management and security best practices.
Many service providers tout “compliance readiness” based on a “shared responsibility” model, referring to the SOC 2 readiness of their specific cloud providers (e.g. AWS) but not their own organizations. This framework, however, falls short because it lacks the service provider’s oversite and long-term commitment to the SOC 2 Trust Services criteria, policy and procedures, ultimately creating gaps in their business controls and weakening the security blueprint to safeguard their customers’ data.
What is the SOC 2 Process?
As a service provider, a SOC 2 engagement is a lengthy and rigorous exercise requiring months of preparation. The process requires a high amount of coordination and attention to detail, ensuring the SOC 2 attestation is completed correctly.
At Trinity, following are the steps we undertook to complete the SOC 2 audit:
The Value of Service Providers Attaining Their SOC 2
No doubt about it, given the current ongoing cybersecurity issues, SOC 2 compliance is gaining increasing attention and importance. Still, it’s uncommon for many service providers.
The commitment to invest in the SOC 2 Type 2 attestation process creates a number of success factors for both lenders and service providers alike.
SOC 2 is about putting in place well defined policies, procedures and practices – not just ticking all of the compliance checkboxes. It requires the implementation of long term, ongoing internal best practices that ensures the security of customer information and in turn, the long-term success of your business.
At Trinity, the SOC 2 process is a significant priority as we are now entering our third year of re-attesting our certification. We are fully invested in this strong compliance program because protecting our customers’ most critical assets is not only our job – it our commitment that goes to the very heart of our relationship with each and every client. It is our privilege to do so.
For more information about Trinity’s SOC2 program, please feel free to contact us.