Business owners and executives are familiar with the concept of risk management. From managing inventory levels to reviewing insurance coverage to maintain a proper level of protection, it’s a routine business practice. While it’s common to focus on traditional business risks, many overlook, or underestimate, their cyber risk profile leaving the sensitive business, financial and customer data exposed. Given the increasing reliance on third-party vendors to streamline and reduce costs, it’s important to assess the company’s cyber risk exposure.  In a recent study, it was reported that over 75% of businesses outsource a critical business function.  While it may be the right business decision, it often gives vendors access to sensitive financial and other data on employees, customers, and proprietary business information. What would happen if this data were “stolen” as a result of weaknesses in the vendor’s controls and processes?  What happens if the vendor is unable to provide their service or platform?  How would the company handle the event? To help clients, prospects and others assess their cyber risk issues, PBMares has provided a summary of key points to consider below.

Assessing Cyber Risk – Outsourced Services

As more businesses are turning to outsourced services, it is critical for business owners and executives to develop a vendor management program to perform initial and ongoing due diligence.  Reviewing the control environment of critical vendors will ensure a clear risk picture exists.

An important component to consider is the level of access a vendor has to sensitive data. Key issues to consider in the evaluation process include:

  1. Where is the data stored?
  2. How is data protected from internal and external threats?
  3. Who has access to it?
  4. How is access controlled?
  5. What policies and systems exist to ensure proper access and control are maintained?

Outsourced Payroll – A Practical Example

Many companies rely on outsourced providers to manage the payroll process. The company will want to be assured the vendor’s software functions properly, including processing payroll transactions, making the proper withholdings and paying employees accurately and on time. It’s important to understand what assurances the vendor is making about process reliability.

In addition, because of the highly sensitive and confidential nature of data the vendor has access too, the company will want to ensure the vendor has adequate security controls in place. Consider the amount of employee data the vendor has which is valuable to any cybercriminal. Names, addresses, dates of birth, bank routing and account numbers, social security numbers and more. What would the company do if the data were stolen? What would be the company’s risk exposure? How would it be handled? To answer these questions, companies need to identify a way to evaluate these risks.

In order to assess and evaluate third-party vendors, business unit owners should request a  Service Organization Control (SOC) Audit.  While there are different types of SOC audits, a SOC 2 audit is often the best choice.

What is a SOC 2 Audit?

A SOC 2 audit is a type of audit designed to ensure service organizations (third-parties) are providing a secure operating environment. The audit process focuses on the controls the vendor has defined as essential to properly deliver its’ services. The audit focuses on the 5 Trust Services Criteria which include security, confidentiality, processing, integrity, availability and privacy. The goal is to provide companies with an accurate picture of the effectiveness of vendor controls. These reports give business owners the confidence they need to properly assess a vendor’s services.  In addition, called complementary user entity controls (CUECs), SOC reports also provide information about what controls the business needs to have in place in order to properly use the third party system or services.

It’s important to note there are two types of SOC 2 audits including Type I and Type II. A Type I focuses on describing the vendor’s systems and whether the design of controls meets relevant trust criteria put into operation at a specific point in time. Type II details the operational effectiveness of controls over a period of time. Most vendors select a period of twelve months as the evaluation time period.  Unless it is the vendor’s first SOC report, they should be getting a Type II report.

Risk management can be a challenging task especially considering the new and growing threats which exist. The protection of sensitive data and ensuring the vendor can fulfill its’ service commitments is essential to ensuring the company is not exposed to unforeseen risks.

Contact PBMares for more information on SOC 2 audits.