With the rise of innovations like cloud technology and software-as-a-service, clients are increasingly finding that it makes business sense to outsource computerized services, from payroll processing to the storage of electronic medical records. While doing so often cuts costs, routing (frequently confidential) data through third-party service providers also implicates serious cybersecurity concerns and, in some cases, may increase potential liability. Further, one of the pillars of a commercially reasonable information security program is selecting and retaining service providers capable of maintaining appropriate safeguards. To address these concerns, and to keep data safe, clients should require service providers to furnish them with Service Organization Control (“SOC”) Reports, particularly SOC 2 Reports.
SOC Reports were developed by the American Institute of CPAs (AICPA) to provide information about the robustness and quality of a service provider’s internal controls over certain types of data. There are three types of SOC Reports, each serving separate functions.
SOC 1 Reports: SOC 1 Reports address a service provider’s controls that relate to a client’s internal control over financial reporting. Because of this, SOC 1 Reports, unlike SOC 2 and SOC 3 Reports, are limited to controls that could be relevant to a client’s financial audit. These reports are most important when a service provider works directly with a client’s financial information, such as by providing payroll services, and may actually be mandatory for publicly traded companies. If a service provider is working with any of a client’s data other than the client’s financial information, though, a SOC 2 Report will be much more important.
SOC 2 Reports: Serving a broader audience than SOC 1 Reports, SOC 2 Reports provide information about a service provider’s controls that affect the security and processing integrity of the systems that the service provider uses to process a client’s data. In conducting a SOC 2 Report, a service provider first considers which of several security criteria are most relevant to its service, and then designs controls to achieve those criteria. After that, an auditor reviews the criteria and the designed solutions, generating an opinion as to how well the service provider’s controls fit the selected criteria. These reports often contain highly confidential information about a service provider’s cybersecurity systems, so clients will likely have to sign a nondisclosure agreement to see them.
SOC 2 Reports are further broken down into two types – the (not so creatively named) Type 1 and Type 2 reports. Type 1 reports focus on the suitability of the design of a service provider’s controls over data, while Type 2 reports center on the operating effectiveness of these same controls. While there is some debate on the topic, many argue that Type 2 reports are the more rigorous of the pair.
SOC 3 Reports: If SOC 2 Reports are, broadly, better for clients than SOC 1 Reports, then SOC 3 Reports must be even better, right? Not quite. A SOC 3 Report is actually just a high-level summary of the information in a SOC 2 Report. Intended to be public-facing, they are less in-depth and do not contain confidential information. In fact, a SOC 3 Report is largely just an auditor’s “thumbs up” or “thumbs down” as to whether a service provider has passed a SOC 2 Report, and clients should not accept one as a substitute for a SOC 2 Report.
Clients will, and largely should, continue to outsource processes previously conducted internally. While doing so can reduce costs and streamline operations, it can also create risks to data security. In order to ensure that service providers exercise the utmost care when dealing with clients’ data and help you in selecting and retaining service providers capable of maintaining appropriate safeguards, clients should require their service providers to complete SOC 2 Reports and contractually oblige service providers to share the results with them.