Opposing Perspectives on SOC 2

How Clients and Vendors View the Benefits and Challenges of SOC 2 Reporting

Introduction

As third-party risks continue to rise, particularly following high-profile incidents like the SolarWinds and Kaseya breaches, the need for greater transparency into the security posture of vendors has become increasingly critical. One way to achieve this is through a SOC 2 audit. These audits affect organizations in unique ways, depending on their role—whether they are the vendor providing the service or the client relying on that service. In this blog, we will explore both perspectives, offering insights into how SOC 2 audits create value and enforce accountability for both clients and vendors. This blog explores the nuances of how SOC 2 audits drive value and accountability from both the client and vendor viewpoints.

Background

SOC 2, which stands for “System and Organization Controls 2,” was developed by the American Institute of Certified Public Accountants (AICPA) to standardize how organizations report on internal controls related to data security. Based on the Trust Services Criteria, SOC 2 evaluates a service provider’s controls on up to five key areas: security (mandatory), availability, processing integrity, confidentiality, and privacy.

SOC 2 evolved from the older SAS 70 audit, which focused on financial reporting controls. As cloud services expanded and data security became increasingly important, the AICPA introduced SOC 2 in 2011. This framework focuses specifically on managing non-financial aspects, including data security and privacy. The old SAS 70 audit evolved into the SOC 1.

Since its inception, SOC 2 has become the de facto standard for service providers, especially in the tech industry. It helps companies demonstrate their commitment to protecting customer data and builds trust with clients. As cybersecurity threats have grown more complex, SOC 2 has adapted, becoming not just a third-party risk management requirement but also a competitive advantage.

Demand for SOC 2 reporting surged between 2018 and 2020. SOC 2 reports assess how well service providers handle data security across the five key criteria, but the audit’s implications go deeper—it plays a critical role in how both clients and vendors manage risks, maintain trust, and ensure business continuity.

Opposing Perspectives

Vendor Perspective

  • For vendors, completing a SOC 2 audit can be seen as a significant investment in both time and resources. However, the benefits are substantial:
  • Competitive Advantage: Achieving SOC 2 status not only meets the growing demand for cybersecurity assurances but also provides a distinct advantage in the marketplace. It positions vendors as reliable partners in data protection, opening doors to new business opportunities and helping secure larger contracts by building trust with potential clients.
  • Trust and Credibility: Vendors that complete SOC 2 audits demonstrate their commitment to protecting customer data, building trust with both current and prospective clients—crucial for companies looking to “go upmarket and close large deals.”
  • Mitigating Risk: SOC 2 helps vendors proactively identify and remediate control gaps before an audit. This reduces the likelihood of costly breaches, safeguarding their reputation and business.
  • However, completing a SOC 2 audit comes with challenges:
  • High Expectations: Clients expect SOC 2-audited vendors to maintain the highest level of security, which puts pressure on vendors to continuously comply and improve.
  • Resource Intensive: The process requires significant investments in new policies, monitoring tools, and sometimes even hiring additional personnel, which can be particularly daunting for smaller vendors.
  • Consider a mid-sized MSP that secures a large contract contingent on their SOC 2 audit report. The client (and auditors) expects the vendor to continuously update their controls and provide regular security reporting. Meeting these ongoing demands requires significant resources (staff hires, monitoring tools, GRC platform, etc.). The MSP learns that maintaining SOC 2 status is not a one-time task but an ongoing commitment, placing a strain on operational budget and workforce.

Client Perspective

  • From the client’s viewpoint, SOC 2 audits offer reassurance that their service providers can securely manage sensitive data. However, the client’s role in ensuring security doesn’t end with receiving a SOC 2 report.
  • Reduced Risk: Vendors with a SOC 2 report help clients reduce third-party risks by proving they meet essential security controls. A recent study showed that 87% of organizations require assurance that third parties won’t introduce security risks.
  • Compliance with Regulatory Requirements: Many industries, particularly healthcare and finance, encourage businesses to work with SOC 2 “reporting “compliant” vendors to meet legal and regulatory standards.
  • However, there are also risks:
  • Blind Spots: A significant challenge in third-party risk management is the hidden risks that can arise when companies fail to conduct thorough pre-contract due diligence. Even when working with SOC 2-audited vendors, there can be overlooked vulnerabilities if clients don’t fully scrutinize the audit report. This careful review should be conducted prior to executing any contract. Relying solely on the SOC 2 report without carefully reviewing the scope, controls, and any noted exceptions can create a false sense of security, leaving the organization exposed to potential risks.
  • Cost Implications: Working with vendors that have undergone a SOC 2 audit may come with a higher price tag due to the significant resources these vendors invest in preparing for and maintaining audit-readiness. The cost of the SOC 2 audit itself, along with the implementation of robust security controls and ongoing monitoring, often results in higher service costs. However, these added expenses are generally seen as a sound investment, as a SOC 2 audit report provides clients with valuable insights into a vendor’s security practices. The audit report demonstrates a vendor’s proactive approach to securing data, which can reduce the likelihood of costly security breaches and regulatory issues.

The Importance of due diligence

  • While receiving a SOC 2 report from a vendor can provide peace of mind, it’s crucial that clients don’t accept it at face value. A SOC 2 report is a valuable tool, but it’s not a guarantee that all risks have been mitigated.
  • Clients must perform their own due diligence by thoroughly vetting the entire report.
  • Review the entire report: Don’t skip any sections—ensure you’ve read and understood the full audit report.
  • Evaluate the listed controls: Check if the controls assessed in the report align with your organization’s specific security needs.
  • Identify auditor-noted exceptions: Look for any exceptions highlighted in the report and note them for further review.
  • Assess your own risk profile: Determine how the identified exceptions or gaps in controls might impact your organization’s risk.
  • Avoid blind trust: Don’t rely solely on the audit report—conduct your own risk assessment to ensure the vendor’s controls meet your security requirements.
  • Ultimately, a SOC 2 report should serve as a starting point for conversations about security, not the final word.

Industry Insights

Cloud Security Alliance1

Popularity and Competitive Advantage

“SOC compliance is the most popular form of a cybersecurity audit, used by a growing number of organizations to prove they take cybersecurity seriously. A SOC 2 report will provide you with a competitive advantage in the marketplace while allowing you to close deals faster and win new business”.

Importance for Small Businesses

“Your startup or small business will need a SOC 2 report to go upmarket and close large deals. Below are some of the benefits you will notice after earning a SOC 2 report: Development of strong policies and procedures, increased credibility with investors and partners, a strong competitive advantage, and saved time, money, and resources on a potential data breach”.

Key Benefits

“Organizations who complete a SOC 2 assessment will benefit from the following: Valuable insight into your security posture, a strategic roadmap for cybersecurity investments and initiatives, and increased competitive positioning in the marketplace”.

Deloitte2

Preparation

“Identifying and remediating any control gaps prior to embarking upon a formal SOC examination is critical, as the AICPA requires the service auditor to disclose all exceptions once an examination commences, regardless of their magnitude”

Demand

“According to the AICPA and CIMA 2020 SOC Survey, there is a growing market for SOC services with a 49% increase in demand for SOC 2 engagements between 2018 and 2020”

Prevalent3

Organizations Are Missing Critical Risks

Organizations Are Missing Critical Risks: “More than 50% of respondents indicated the biggest challenge they face in third-party risk management is not having enough pre-contract due diligence to identify potential vendor risks, followed by 46% who say a lack of real-time insights into vendor risk and performance is their biggest challenge.”

Cybersecurity as the Tip of the Iceberg

“87% of respondents cited the need to ensure that third parties do not introduce risks to their business that could negatively impact them, followed by 60% who say that they are required to report against specific regulatory, industry or data privacy requirements.”

The Growing Focus on Risk Management Due to Major Incidents

“COVID-19 (83%) and the SolarWinds breach drove the most organizational focus on third-party risk, and more board/executive focus.”

Satisfaction with Current Risk Assessments

“42% of respondents said they assess their third parties using spreadsheet-based questionnaires… almost no one feeling ‘extremely satisfied.’”

Case Study / Examples

SolarWinds

In December 2020, SolarWinds experienced a significant cyberattack when hackers infiltrated their Orion software by embedding malicious code into a routine software update. This sophisticated breach went undetected for months, allowing the attackers to access sensitive data from numerous government agencies, including the U.S. Departments of Homeland Security, Treasury, and Commerce, as well as many private sector companies. Despite having a SOC 2 Type II audit report prior to the incident, the breach highlighted that such attestations are not guarantees of absolute security. They indicate that a company has met certain standards at a point in time, but they do not ensure that controls are always effective or that vulnerabilities do not exist.

The impact on private companies was substantial, with nearly 18,000 customers receiving the compromised software update. High-profile companies such as Cisco, Intel, Deloitte, and Microsoft were among those affected. The financial repercussions were significant, with affected companies experiencing an average impact of 11% on their annual revenue, translating to about $12 million per company. The breach caused widespread operational disruptions and a profound erosion of trust in SolarWinds’ security measures. 4 5

Kaseya Incident

In July 2021, Kaseya experienced a ransomware attack orchestrated by the REvil group. The attackers exploited zero-day vulnerabilities in Kaseya’s VSA (Virtual System Administrator) software, allowing them to deploy ransomware to endpoints managed by the software. This attack had a widespread impact, affecting approximately 1,500 businesses globally. Managed Service Providers (MSPs) using Kaseya’s software were particularly hard-hit, as they provide IT services to multiple other companies, amplifying the reach of the attack. The operational disruptions were significant, causing many businesses to shut down temporarily while they dealt with the fallout. Financial losses were substantial, with some companies facing ransom demands and others incurring costs related to downtime and recovery efforts.

Despite Kaseya’s swift response, which included shutting down their SaaS servers and advising customers to turn off their on-premises VSA servers, the incident highlighted the vulnerabilities that can exist even in widely used and trusted software.6 7

CDK Global Incident

In April 2021, CDK Global, a provider of IT and digital marketing solutions to the automotive industry, experienced a significant data breach. The attackers exploited vulnerabilities in CDK Global’s systems, leading to the exposure of sensitive customer data. This breach affected numerous dealerships, causing operational disruptions and financial losses. The compromised data included personally identifiable information such as names, addresses, Social Security numbers, driver’s licenses, credit card numbers, and bank account details. The impact was widespread, affecting approximately 15,000 car dealerships across North America.

Despite CDK Global’s efforts to secure their systems, this incident highlighted the vulnerabilities that can exist even in well-established and trusted software. It underscores the importance of continuous monitoring and improvement of cybersecurity measures.8 9 10

Case Study Summary

These incidents underscore that while SOC 2 Type II reports provide valuable assurance about a company’s security practices at a specific point in time, they are not guarantees of absolute security. Continuous improvement, vigilant monitoring, and proactive enhancement of cybersecurity measures are essential to protect against evolving threats. The significant operational and financial impacts of these breaches highlight the high stakes involved and the critical need for robust, ongoing security efforts.

Future outlook

Automation is rapidly transforming the landscape of SOC 2 reporting, offering tools to streamline everything from policy development to control monitoring. While automation brings undeniable efficiencies, such as reducing manual tasks and minimizing human error, there are growing concerns that some vendors may be oversimplifying critical processes.

Automation platforms are being marketed as a one-stop solution for SOC 2 readiness, even automating the creation of policies and procedures. However, the risk lies in creating a false sense of security. If these automated controls are not carefully customized to the specific needs and risks of an organization, they can fail to meet the nuanced demands of an audit. This could lead to deeper scrutiny by auditors and, ultimately, damage the organization’s credibility.

While automation is certainly the future of compliance, it should not replace thorough, human-led risk assessments and policy development. In the next few years, we may see a hybrid model emerge—one that combines the efficiency of automation with the expertise of professionals who can ensure that controls are not only implemented but also fully effective.

As artificial intelligence (AI) becomes more integrated into these platforms, it will further enhance automation, offering predictive insights and real-time risk management. However, businesses should approach these advancements with caution, ensuring that they supplement—not replace—the comprehensive and thoughtful processes that SOC 2 demands.

Conclusion

SOC 2 reports are a valuable tool for assessing the maturity of a vendor’s security practices, but they are not a silver bullet. These reports demonstrate a vendor’s commitment to protecting client data and maintaining robust security measures. Both clients and vendors must recognize that SOC 2 reporting is not a guarantee of absolute security. The high-profile breaches at SolarWinds, Kaseya, and CDK Global illustrate that even SOC 2-audited companies can be vulnerable to sophisticated cyberattacks. Continuous vigilance, improvement, and proactive cybersecurity efforts are essential to truly safeguard against evolving threats. Clients should perform thorough due diligence and not rely solely on SOC 2 reports, while vendors must continuously enhance their security protocols to maintain trust and protect sensitive data. As the demand for SOC 2 continues to grow, it provides a competitive advantage and builds trust, but it also requires significant investment and ongoing commitment to cybersecurity.

Next Steps

If you’re a vendor aiming to achieve SOC 2 status or a client seeking expert guidance on evaluating third-party risk, we’re here to help. Contact us today for a personalized consultation and take the first step towards enhancing your cybersecurity posture. Stay ahead of the curve by subscribing to our blog for the latest insights on cybersecurity, compliance, and industry best practices. Don’t miss out on the opportunity to secure your business and build trust with your clients.

References
  1. What is SOC 2? Complete Guide to SOC 2 Reports | CSA. https://cloudsecurityalliance.org/articles/what-is-soc-2-complete-guide-to-soc-2-reports-and-compliance ↩︎
  2. Providing Assurance through SOC Reports by Deloitte https://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/us-rfa-providing-assurance-through-soc-reports.pdf ↩︎
  3. The 2021 Third-Party Risk Management Study by Prevalent https://www.prevalent.net/content-library/2021-third-party-risk-management-study/ ↩︎
  4. Updated Kaseya ransomware attack FAQ: What we know now. https://www.zdnet.com/article/updated-kaseya-ransomware-attack-faq-what-we-know-now/ ↩︎
  5. U.S. Governmental Accountability Office: https://www.gao.gov/blog/solarwinds-cyberattack-demands-significant-federal-and-private-sector-response-infographic ↩︎
  6. Kaseya Ransomware Attack: Guidance for Affected MSPs and their Customers: https://www.cisa.gov/news-events/news/kaseya-ransomware-attack-guidance-affected-msps-and-their-customers ↩︎
  7. Kaseya Responds Swiftly to Sophisticated Cyberattack: https://www.kaseya.com/press-release/kaseya-responds-swiftly-to-sophisticated-cyberattack-mitigating-global-disruption-to-customers/ ↩︎
  8. What to know about dealer, consumer, employee CDK lawsuits: https://www.autonews.com/retail/cdk-cyberattack-heres-overview-lawsuits ↩︎
  9. CDK Global calls cyberattack that crippled its software platform a “ransom event”: https://www.cbsnews.com/news/cdk-attack-cyber-ransom-event/ ↩︎
  10. CDK suffered another data breach as it was attempting to recover: https://www.techradar.com/pro/security/cdk-suffered-another-data-breach-as-it-was-attempting-to-recover ↩︎

Timothy J. Marley, CPA, CISSP, CISA, CISM, CIA, CDPSE

Founder and Principal Consultant, Prism One

Timothy J. Marley, founder and principal consultant of Prism One, is a seasoned cybersecurity executive with over two decades of experience in information technology, risk management, and compliance. Tim’s extensive expertise helps organizations navigate the complex landscape of cybersecurity and risk management.

Tim’s mission is to empower organizations to build resilient security postures in an ever-evolving threat environment. At Prism One, he continues to provide tailored, high-quality cybersecurity solutions to meet the unique needs of each client.

Similar Posts