As in Switzerland, governments the world over are calling for both public and private sectors to increase their cyber posture in response to the increased threat landscape in our post-COVID era.
“Cyber risks have become one of the most important threats to Switzerland's security and economy. It is of great importance that attacks on Swiss companies and authorities can be detected at an early stage and that the threat situation can be assessed as accurately as possible.” Swiss Confederation, April 2022
Beyond cyber measures
When it comes to cybersecurity, countless measures are available – from systems patching and intrusion detection to employee awareness campaigns. These are tried-and-tested ways to prevent successful hacks through phishing or social engineering. What we are seeing in the market, however, is that the increase in outsourcing is forcing companies to ensure such measures are applied across the spectrum of their most critical service providers. And that can be hard to achieve and enforce when the “outsourcing grid” becomes overly complex and interconnected. Additionally, companies are under increasing pressure to show that they are able to manage cyber threats comprehensively.
What is SOC for Cybersecurity?
Service Organization Controls (SOC) for Cybersecurity are a structured approach to manage this complexity. This attestation report is based on an attestation standard released in 2017. It is a reporting framework to organizations for communicating on their cybersecurity risk management program and the effectiveness of controls within that program.
The Association of International Certified Professional Accountants (AICPA) describes “SOC for Cybersecurity” as an examination engagement performed on an entity’s cybersecurity risk management program. It covers two distinct but complementary subject matters:
(a) Description of the entity’s cybersecurity risk management program
(b) Effectiveness of controls within that program to achieve the entity’s cybersecurity objectives.
In essence, the report is aimed at providing readers a view on a how a company manages cyber security as well as whether the controls implemented are effective in achieving their given objective. The latter is therefore the most important aspect of the report since it represents the independent assessment, typically conducted by a recognized audit firm with strong methodologies and high quality standards.
Description criteria and implementation guidance
The SOC for Cyber framework also includes a set of description criteria along with implementation guidance. This provides a useful basis for any organization struggling to get started. Examples of description criteria include DC12: “The process for identifying, assessing, and managing the risks associated with vendors and business partners” with the following implementation guidance: “When making judgments about the nature and extent of disclosures to include about this criterion, consider the following:
- The process for identifying vendors and business partners affecting the entity’s cybersecurity risk management program and maintaining an inventory of those parties
- The process for identifying and evaluating risks that could be mitigated through the purchase of cybersecurity insurance
- How the entity manages risks to the achievement of its cybersecurity objectives arising from vendors and business partners
Readiness assessment and next steps
While the framework is robust and well described, it can quickly become overwhelming and subject to interpretation and judgment. Performing a readiness assessment with the guidance of a subject matter expert can be an effective first step toward the ultimate goal.
Organizations who have outsourced some of their critical processes, systems and infrastructures to third parties should consider requiring such a report from their suppliers. It will only be a matter of time until boards and regulators start demanding this. In turn, outsourcing and service providers should start taking steps to equip themselves with SOC for Cyber reports in order to increase customer confidence in their cyber measures. We often say “security has a cost, but it is priceless”. This has never been more valid than it is today.