Opposing Perspectives on SOC 2
How Clients and Vendors View the Benefits and Challenges of SOC 2 ReportingIntroduction
As third-party risks continue to rise, particularly following high-profile incidents like the SolarWinds and Kaseya breaches, the need for greater transparency into the security posture of vendors has become increasingly critical. One way to achieve this is through a SOC 2 audit. These audits affect organizations in unique ways, depending on their role—whether they are the vendor providing the service or the client relying on that service. In this blog, we will explore both perspectives, offering insights into how SOC 2 audits create value and enforce accountability for both clients and vendors. This blog explores the nuances of how SOC 2 audits drive value and accountability from both the client and vendor viewpoints.
Background
SOC 2, which stands for “System and Organization Controls 2,” was developed by the American Institute of Certified Public Accountants (AICPA) to standardize how organizations report on internal controls related to data security. Based on the Trust Services Criteria, SOC 2 evaluates a service provider’s controls on up to five key areas: security (mandatory), availability, processing integrity, confidentiality, and privacy.
SOC 2 evolved from the older SAS 70 audit, which focused on financial reporting controls. As cloud services expanded and data security became increasingly important, the AICPA introduced SOC 2 in 2011. This framework focuses specifically on managing non-financial aspects, including data security and privacy. The old SAS 70 audit evolved into the SOC 1.
Since its inception, SOC 2 has become the de facto standard for service providers, especially in the tech industry. It helps companies demonstrate their commitment to protecting customer data and builds trust with clients. As cybersecurity threats have grown more complex, SOC 2 has adapted, becoming not just a third-party risk management requirement but also a competitive advantage.
Demand for SOC 2 reporting surged between 2018 and 2020. SOC 2 reports assess how well service providers handle data security across the five key criteria, but the audit’s implications go deeper—it plays a critical role in how both clients and vendors manage risks, maintain trust, and ensure business continuity.
Opposing Perspectives
Vendor Perspective
Client Perspective
The Importance of due diligence
Industry Insights
Cloud Security Alliance1
Popularity and Competitive Advantage
“SOC compliance is the most popular form of a cybersecurity audit, used by a growing number of organizations to prove they take cybersecurity seriously. A SOC 2 report will provide you with a competitive advantage in the marketplace while allowing you to close deals faster and win new business”.
Importance for Small Businesses
“Your startup or small business will need a SOC 2 report to go upmarket and close large deals. Below are some of the benefits you will notice after earning a SOC 2 report: Development of strong policies and procedures, increased credibility with investors and partners, a strong competitive advantage, and saved time, money, and resources on a potential data breach”.
Key Benefits
“Organizations who complete a SOC 2 assessment will benefit from the following: Valuable insight into your security posture, a strategic roadmap for cybersecurity investments and initiatives, and increased competitive positioning in the marketplace”.
Deloitte2
Preparation
“Identifying and remediating any control gaps prior to embarking upon a formal SOC examination is critical, as the AICPA requires the service auditor to disclose all exceptions once an examination commences, regardless of their magnitude”
Demand
“According to the AICPA and CIMA 2020 SOC Survey, there is a growing market for SOC services with a 49% increase in demand for SOC 2 engagements between 2018 and 2020”
Prevalent3
Organizations Are Missing Critical Risks
Organizations Are Missing Critical Risks: “More than 50% of respondents indicated the biggest challenge they face in third-party risk management is not having enough pre-contract due diligence to identify potential vendor risks, followed by 46% who say a lack of real-time insights into vendor risk and performance is their biggest challenge.”
Cybersecurity as the Tip of the Iceberg
“87% of respondents cited the need to ensure that third parties do not introduce risks to their business that could negatively impact them, followed by 60% who say that they are required to report against specific regulatory, industry or data privacy requirements.”
The Growing Focus on Risk Management Due to Major Incidents
“COVID-19 (83%) and the SolarWinds breach drove the most organizational focus on third-party risk, and more board/executive focus.”
Satisfaction with Current Risk Assessments
“42% of respondents said they assess their third parties using spreadsheet-based questionnaires… almost no one feeling ‘extremely satisfied.’”
Case Study / Examples
SolarWinds
In December 2020, SolarWinds experienced a significant cyberattack when hackers infiltrated their Orion software by embedding malicious code into a routine software update. This sophisticated breach went undetected for months, allowing the attackers to access sensitive data from numerous government agencies, including the U.S. Departments of Homeland Security, Treasury, and Commerce, as well as many private sector companies. Despite having a SOC 2 Type II audit report prior to the incident, the breach highlighted that such attestations are not guarantees of absolute security. They indicate that a company has met certain standards at a point in time, but they do not ensure that controls are always effective or that vulnerabilities do not exist.
The impact on private companies was substantial, with nearly 18,000 customers receiving the compromised software update. High-profile companies such as Cisco, Intel, Deloitte, and Microsoft were among those affected. The financial repercussions were significant, with affected companies experiencing an average impact of 11% on their annual revenue, translating to about $12 million per company. The breach caused widespread operational disruptions and a profound erosion of trust in SolarWinds’ security measures. 4 5
Kaseya Incident
In July 2021, Kaseya experienced a ransomware attack orchestrated by the REvil group. The attackers exploited zero-day vulnerabilities in Kaseya’s VSA (Virtual System Administrator) software, allowing them to deploy ransomware to endpoints managed by the software. This attack had a widespread impact, affecting approximately 1,500 businesses globally. Managed Service Providers (MSPs) using Kaseya’s software were particularly hard-hit, as they provide IT services to multiple other companies, amplifying the reach of the attack. The operational disruptions were significant, causing many businesses to shut down temporarily while they dealt with the fallout. Financial losses were substantial, with some companies facing ransom demands and others incurring costs related to downtime and recovery efforts.
Despite Kaseya’s swift response, which included shutting down their SaaS servers and advising customers to turn off their on-premises VSA servers, the incident highlighted the vulnerabilities that can exist even in widely used and trusted software.6 7
CDK Global Incident
In April 2021, CDK Global, a provider of IT and digital marketing solutions to the automotive industry, experienced a significant data breach. The attackers exploited vulnerabilities in CDK Global’s systems, leading to the exposure of sensitive customer data. This breach affected numerous dealerships, causing operational disruptions and financial losses. The compromised data included personally identifiable information such as names, addresses, Social Security numbers, driver’s licenses, credit card numbers, and bank account details. The impact was widespread, affecting approximately 15,000 car dealerships across North America.
Despite CDK Global’s efforts to secure their systems, this incident highlighted the vulnerabilities that can exist even in well-established and trusted software. It underscores the importance of continuous monitoring and improvement of cybersecurity measures.8 9 10
Case Study Summary
These incidents underscore that while SOC 2 Type II reports provide valuable assurance about a company’s security practices at a specific point in time, they are not guarantees of absolute security. Continuous improvement, vigilant monitoring, and proactive enhancement of cybersecurity measures are essential to protect against evolving threats. The significant operational and financial impacts of these breaches highlight the high stakes involved and the critical need for robust, ongoing security efforts.
Future outlook
Automation is rapidly transforming the landscape of SOC 2 reporting, offering tools to streamline everything from policy development to control monitoring. While automation brings undeniable efficiencies, such as reducing manual tasks and minimizing human error, there are growing concerns that some vendors may be oversimplifying critical processes.
Automation platforms are being marketed as a one-stop solution for SOC 2 readiness, even automating the creation of policies and procedures. However, the risk lies in creating a false sense of security. If these automated controls are not carefully customized to the specific needs and risks of an organization, they can fail to meet the nuanced demands of an audit. This could lead to deeper scrutiny by auditors and, ultimately, damage the organization’s credibility.
While automation is certainly the future of compliance, it should not replace thorough, human-led risk assessments and policy development. In the next few years, we may see a hybrid model emerge—one that combines the efficiency of automation with the expertise of professionals who can ensure that controls are not only implemented but also fully effective.
As artificial intelligence (AI) becomes more integrated into these platforms, it will further enhance automation, offering predictive insights and real-time risk management. However, businesses should approach these advancements with caution, ensuring that they supplement—not replace—the comprehensive and thoughtful processes that SOC 2 demands.
Conclusion
SOC 2 reports are a valuable tool for assessing the maturity of a vendor’s security practices, but they are not a silver bullet. These reports demonstrate a vendor’s commitment to protecting client data and maintaining robust security measures. Both clients and vendors must recognize that SOC 2 reporting is not a guarantee of absolute security. The high-profile breaches at SolarWinds, Kaseya, and CDK Global illustrate that even SOC 2-audited companies can be vulnerable to sophisticated cyberattacks. Continuous vigilance, improvement, and proactive cybersecurity efforts are essential to truly safeguard against evolving threats. Clients should perform thorough due diligence and not rely solely on SOC 2 reports, while vendors must continuously enhance their security protocols to maintain trust and protect sensitive data. As the demand for SOC 2 continues to grow, it provides a competitive advantage and builds trust, but it also requires significant investment and ongoing commitment to cybersecurity.
Next Steps
If you’re a vendor aiming to achieve SOC 2 status or a client seeking expert guidance on evaluating third-party risk, we’re here to help. Contact us today for a personalized consultation and take the first step towards enhancing your cybersecurity posture. Stay ahead of the curve by subscribing to our blog for the latest insights on cybersecurity, compliance, and industry best practices. Don’t miss out on the opportunity to secure your business and build trust with your clients.
References
- What is SOC 2? Complete Guide to SOC 2 Reports | CSA. https://cloudsecurityalliance.org/articles/what-is-soc-2-complete-guide-to-soc-2-reports-and-compliance ↩︎
- Providing Assurance through SOC Reports by Deloitte https://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/us-rfa-providing-assurance-through-soc-reports.pdf ↩︎
- The 2021 Third-Party Risk Management Study by Prevalent https://www.prevalent.net/content-library/2021-third-party-risk-management-study/ ↩︎
- Updated Kaseya ransomware attack FAQ: What we know now. https://www.zdnet.com/article/updated-kaseya-ransomware-attack-faq-what-we-know-now/ ↩︎
- U.S. Governmental Accountability Office: https://www.gao.gov/blog/solarwinds-cyberattack-demands-significant-federal-and-private-sector-response-infographic ↩︎
- Kaseya Ransomware Attack: Guidance for Affected MSPs and their Customers: https://www.cisa.gov/news-events/news/kaseya-ransomware-attack-guidance-affected-msps-and-their-customers ↩︎
- Kaseya Responds Swiftly to Sophisticated Cyberattack: https://www.kaseya.com/press-release/kaseya-responds-swiftly-to-sophisticated-cyberattack-mitigating-global-disruption-to-customers/ ↩︎
- What to know about dealer, consumer, employee CDK lawsuits: https://www.autonews.com/retail/cdk-cyberattack-heres-overview-lawsuits ↩︎
- CDK Global calls cyberattack that crippled its software platform a “ransom event”: https://www.cbsnews.com/news/cdk-attack-cyber-ransom-event/ ↩︎
- CDK suffered another data breach as it was attempting to recover: https://www.techradar.com/pro/security/cdk-suffered-another-data-breach-as-it-was-attempting-to-recover ↩︎
Timothy J. Marley, CPA, CISSP, CISA, CISM, CIA, CDPSE
Founder and Principal Consultant, Prism One
Timothy J. Marley, founder and principal consultant of Prism One, is a seasoned cybersecurity executive with over two decades of experience in information technology, risk management, and compliance. Tim’s extensive expertise helps organizations navigate the complex landscape of cybersecurity and risk management.
Tim’s mission is to empower organizations to build resilient security postures in an ever-evolving threat environment. At Prism One, he continues to provide tailored, high-quality cybersecurity solutions to meet the unique needs of each client.