I read something last month on how SOC2 certification was making compliance attractive again. My first thought – I must have missed something; exactly when was compliance ever attractive? I guess one perfect answer would be… at audit time!
Speaking honestly, though, I do understand the sentiment surrounding SOC2. It is smart, prudent, and necessary – a business imperative in our minds.
Developed by the American Institute of CPAs (AICPA), SOC2 defines criteria for managing customer data based on five “trust service principles”—security, availability, processing integrity, confidentiality, and privacy. It is an audit framework to ensure vendors securely manage and protect data, yours and their own.
Having earned our SOC2 Type 1 certification and, most recently, our SOC2 Type 2 certification in March 2020, we see it as a competitive advantage and definitely worth renewing. In talking with Scott Roller, Co-Founder of Vendor Surf, and vendor management pundit, everyone seems to talk it up, SOC2 certification that is, yet it appears so few vendors ever obtain it. “For years, I have advocated for universal SOC2 adoption across mortgage and credit union ecosystems, yet it is still tougher than imagined to find such certified vendors,” Roller said. “If you are a lender serious about not becoming the next information security breach headline, then start putting a premium on SOC2 certification. Your certified vendors have paid a premium for it, granted by an independent authority, saving you sizable time and money while mitigating risk,” Roller added.
The SOC2 Type 2 certification is among the most coveted and hard to obtain information security certifications. It demonstrates that an expertly trained independent accounting and auditing firm has examined an organization’s non-financial reporting control objectives and activities and has actually tested those controls overtime to ensure that they are operating effectively. The classic audit process – say what you do, then do what you say – InfoSec style.
Time and Cost – Quite the Commitment
This SOC2 certification process is neither fast nor cheap. It reviews 12 months of operations and can cost $20,000 to over $100,000, depending upon the complexity of the infrastructure. Vendors with that time, money, and patience are clearly differentiating themselves when it comes to information security.
“When lenders issue RFPs, they often include a 300-item questionnaire via a basic Excel spreadsheet with rambling and redundant questions,” Roller said. “I have long lobbied to skip the questionnaire and instead seek SOC2 certified vendors, as there is absolutely nothing you will ask of lenders that SOC2 audits have not already tested on a systemic basis. Simply read the vendor’s SOC2 reports, and jot down any subsequent questions you may have, expecting there to be very few”.
5 Reasons We Will Renew our SOC Certification
1. Customer Demand
Our customers are savvy. They get it – and demand it of us – as they should of all of their vendors.
2. Peace of Mind
It gives us peace of mind knowing we are prudent caretakers of private data – our own and our clients’. SOC2 provides reassurance that our controls are properly designed, in place, and effectively protecting sensitive data.
3. Client Value
The certification is expensive, exhaustive, and ongoing, but worth the volumes it speaks to the integrity of the vendor and the value the vendor places on the vendor-client relationship.
4. Competitive Advantage
It makes a ‘statement of dedication’ to those we serve. A badge of honor for us that puts us in a vendor class above the rest.
5. Doing It Right
Few things are more important than compliance – SOC2 Type 2 certification is the pinnacle. You must have processes, policies, procedures, and controls for every department, and most importantly, ensure these items are being consistently followed and implemented throughout your organization.
Here at CSS, we are proud to have migrated away from talking about our compliance to proving it instead. The Type 2 certification not only helps set CSS apart from the competition but also gives our customers the assurances they deserve and should expect when working with a vendor.