Lately, an increasing number of clients in Switzerland have asked questions about SOC 2 reports, the current “gold” standard when it comes to providing assurance on aspects such as security, availability or privacy. Below we explore the reasons for this push and what companies should be mindful of.
What is SOC 2 anyway?
SOC 2 is defined as an AICPA (American Institute of Certified Public Accountants) type of assurance report used by service organizations to give comfort to their customers that they have designed and implemented effective controls to manage one or more of the following aspects (called “categories”): security, availability, processing integrity, confidentiality and privacy. This standard has been around for many years in the U.S. and finds its equivalent around the globe through the ISAE 3000 standard (see figure on the right).
Why is it now a topic in Switzerland?
Switzerland is about ten years behind the U.S. and five years behind the rest of Europe when it comes to SOC 2 reporting. This isn’t necessarily a bad thing; it simply means that awareness and scrutiny around the topics covered by the standard (mainly security and protection of information) are just now starting to come to life. The first wave in the country is led by the larger corporate organizations subject to tighter regulations as well as the financial sector. Those companies are now asking (with little room for negotiation) their critical service providers (e.g. IT, payroll, customer service) to comply with the standard and issue an annual SOC 2 report on various categories. This way, they are able to meet internal as well as external requirements or frameworks.
What is the response from service providers?
We are seeing a worrying level of unpreparedness on the side of service providers, who for the most part have never heard of SOC 2. And for those who have, they are not experienced enough to navigate the complexity, depth and extent of the standard. It is fair to say that this is a very complex topic: depending on the number of categories included in the report, there can be up to 200 controls to be tested. Most – if not all – of the largest service providers in the world (e.g. AWS, Azure, Google, SAP) all issue those reports, and they are bulky. Another aspect is the cost of such a compliance exercise: with so many controls to evaluate by an independent auditor, it can quickly add up and make it a hard pill to swallow.
What should Swiss companies do about it?
For one, companies who currently outsource critical systems and processes should determine how they obtain comfort that the associated service providers are applying sound controls over how they handle their data and transactions. It is only a matter of time until internal or external stakeholders start asking more pointed questions to boards and executives.
When it comes to service providers, they need to start addressing this topic or risk being outrun by the competition, namely by the large global players who already comply with the standard. While this is a high cost to pay, it is well worthwile in the long run.