How the AICPA’s 2018 SOC 2 Update can Positively Impact your Cybersecurity Model and Organization
READ TIME: 2 minutes
In January 2018, the AICPA released detailed guidance on its newest SOC 2 Common Criteria (based on COSO 2013 Framework for an entity-wide reporting level). The new framework officially went into effect December 15, 2018. Many organizations, including some of HORNE’s clients, were early adopters of the new framework and have already benefited greatly from its guidance.
Let’s review the new changes and how they can benefit your cybersecurity model and service organization.
New Incident Reporting Requirements
In the past, service organizations were not required to disclose major information security incidents that occurred during the period covered by the audit, unless the incident occurred as a result of a control failure.
As part of the new requirements, management is now required to include specific information about incidents that (1) occurred as a result of a failure in the design or operating effectiveness of one or multiple controls or (2) upon occurrence resulted in the company not being able to meet service commitments and system requirements.
The AICPA says that security incidents should include the following information:
- Nature or description of the incident
- Timing related to the incident (when the incident occurred)
- The consequence and impact the incident will have on the service organization, service organization’s users and any disruption to service commitments and system requirements
The largest benefit is that service organizations will be required to show explicit transparency in their report around incidents and how they were handled. Increasing transparency, if incidents were handled properly, can maintain trust in the organization and showcase company strength to potential new customers.
Increased Risk Assessment and Management Requirements
With an increased focus on risk management, the new criteria highlights the need for risk assessments to align with business objectives.
Regular, ongoing, and meaningful risk assessments aligned to business objectives will allow your company to take control of inherent and potential risks at every level of the organization.
From our perspective, we’ve noticed that companies who perform internal risk assessments frequently are less likely to encounter major incidents or issues during the period. We believe this is because management has taken an active (rather than passive) role in risk assessment, management, and acceptance, and know their company better as a result.
Vendor Management Requirements
With the connectivity of services and the reliance on vendors by service organizations for cloud services (e.g. Amazon Web Services, Azure, etc.), companies must identify and assess the affect the delivery of services may have on users. At the very least, the service organization should monitor its vendors’ services and controls to ensure the service organization can meet its customer commitments.
Maintaining an agile vendor management system that is regularly reviewed by management allows key processes and internal changes to occur while minimizing the negative impact on customers.
The AICPA is currently developing its SOC for Vendor Supply Chain framework with an expected release in Q2 2019. We can expect to see stricter requirements for service organizations upon its release. This will lead to additional expectations from customers considering today’s reliance on cloud-based services.
Although it’s still early on in the required use of the new framework in reporting, we’re hopeful that internal risk assessment enhancements and incident management requirements will allow companies to better manage and report their risk resilience to their customers.