Close

Let's get on each others' calendars.

What SOC 2 Compliance Is,

And Why You (Probably) Need It

In 2015, Comcast paid $100 to each of the 75,000 customers they leaked the information of. The total cost of the settlement in their case was $33 million.

This case is indicative of something we’ve known for a long time; customer data has real-world value.

Whether it’s advertisers looking for more information on their demographics or scammers looking for your financial details, there’s significant value in your clients’ data. More importantly, your clients have a right to their own privacy and protection from bad actors (such as the aforementioned scammers).

You need to have measures in place to protect your clients’ data, and they need some way to have confidence in your defenses. That’s why you need to think about SOC 2 compliance.

That’s why this post will cover everything from what SOC 2 is, why you should care about it, how it can help your business, and why you might not have a choice about the need to get certified.

Here are bitesize chunks to help you navigate this post:

  • You wouldn’t scam a granny
  • What is a SOC 2 audit?
  • Benefits to SOC 2 compliance
  • Warnings against SOC 2 compliance
  • Who needs SOC 2 compliance?
  • When to have a SOC 2 audit

Let’s get started.

You wouldn’t scam a granny

When covering SOC 1 audits I mentioned that my grandparents had fallen for a cold calling phishing scam. This data breach allowed the scammers to transfer money straight out of their account.

Well, my grandparents were more cautious after that slip-up.

They now shred their names and addresses from any letters, then flush the pieces down the toilet instead of throwing the lot away. It’s a drastic measure, but you can see their logic; if someone rifled through their garbage and found their names and address, they could do further damage.

Image of two grandparents holding two grandchildren, appearing to be aged 1 and 3.
Source, image in the public domain

Unfortunately, most scammers aren’t looking through your trash for letters to help them impersonate you.

They’ll just use the internet to find out much more instead.

Anyone with a connection can learn who you are and what your contact information is. A little Facebook stalking here, a scan of your LinkedIn profile there, and scammers would know everything from where you live to your family’s names, your pets, current and previous jobs, and even where you went to school.

My point is that data has value, even at a consumer level. That value (and danger to points of attack) is amplified exponentially when you’re looking at a company’s data instead.

One weak link in your armor and a scam artist could do much more damage than impersonating my grandparents to get a quick buck. They could potentially bankrupt an entire company, and the ultimate liability for that breach would lie with you.

You need to know that your data (and that of the companies you provide your product or services to) is secure to avoid privacy breaches.

You need to be SOC 2 compliant.

What is a SOC 2 audit?

A SOC 2 audit is an audit performed by a Certified Public Accountant (CPA) credentialled by the American Institute of Certified Public Accountants (AICPA) to validate that you’re sufficiently protecting your clients’ data according to the standards of the SOC 2 certification.

More specifically, this audit will judge you for SOC 2 compliance by assessing your performance in one or more of these five categories:

  • Security
  • Availability
  • Processing integrity
  • Confidentiality
  • Privacy

Security

Security assessment is what you’d expect; your system and system resources need to be secured against unauthorized access.

Access controls are the best way to take care of a majority of this security. After all, if your clients’ data is inaccessible to fewer people (those who do not need to view it for their work), there are fewer points of attack that scammers and hackers can go through.

Image of a blue screen with a series of eight digit numbers separated by a comma filling the whole screen. Every eight or so of the numbers is highlighted in green. Overlaid on the image is a red illustration of a lock that is unlocked.
Source by Blogtrepreneur, image used under license CC BY 2.0

IT security tools such as any network firewalls should be kept up to date, intrusion detection can warn of issues when they occur, and 2-factor-authentication can help to deal with lost accounts and devices.

Furthermore, you should train your team members to know when and where it is safe to access, discuss, and share your clients’ details. After all, people are vulnerable to scammers in the same way technology is vulnerable to hackers - if they don’t know what they’re protecting or how to do that, they’re going to let something slip sooner or later.

Availability

Availability in SOC 2 compliance refers to your client’s data (and the system as a whole) maintaining availability to both parties.

In other words, your services are provided to clients, and your team is able to access the backend controls in a similar way. Your clients can access and change their data if they so desire, and it is clear to both parties what is expected of (or being provided to) the other.

Processing integrity

Having “processing integrity” means that your system reliably performs the way it is intended to for both your team and clients.

While availability showed that your system is being provided at all, processing integrity is all about making sure that it does what you say it will do. This applies to everything from basic functionality to your data processing - measures should be in place to keep everything running predictably.

Confidentiality

Photo of a hand-held stamp lying on its side on a piece of kraft paper. On the paper is the stamp's seal in red ink reading Top Secret: Classified.
Source, image used under Pixabay license

Confidentiality is similar to security but specifically focuses on your policies and practices for sharing sensitive internal and client data.

This can include anything from information which identifies specific clients (names, email addresses, etc) to internally sensitive documents such as private price lists, business plans, company hierarchy, and so on.

Basically, if it’s not something that your clients and/or CEO would want publically available for all to see, it needs to be made confidential.

Privacy

Finally, your privacy assessment is all about how you collect and use your clients’ information. This is primarily to make sure that you’re clear to customers about how their data is gathered and used, but is also relevant to how you retain, disclose, and dispose of their data.

The exact specifications will vary based on the type of company you are, what your data policies state, and what information you gather from your clients. However, at the very least your privacy measures need to follow the AICPA’s Privacy Management Framework (PMF).

Benefits to SOC 2 compliance

As you can see, SOC 2 compliance isn’t a walk in the park. It takes a lot of time, money, effort, and coordination to make sure that your company is up to standard.

So, for all that investment, what are you getting in return?

Well:

  • SOC 2 compliance inspires client confidence
  • Certain clients require SOC 2 compliance
  • SOC 2 is a universally recognized standard
  • Your potential bookings will grow

SOC 2 compliance inspires client confidence

SOC 2 compliance shows your clients that you’re trustworthy with their information. That single certification shows them at a glance that an independent auditor (who is fully qualified and verified themself) has reviewed the evidence provided by your company and made sure that your security, availability, processing integrity, confidentiality, and privacy are all up to standard.

Basically, they will be able to confirm that you meet SOC 2’s standards for data security. Because it’s such a universal standard, this shows your clients that they can trust you with their company’s data.

Certain clients require SOC 2 compliance

Close up photo of a man and woman shaking hands. Two people stand in the background wearing suits.
Source, image in the public domain

Some clients (particularly enterprise clients or those in sensitive sectors such as law and security) will require you to be SOC 2 compliant before even considering you as a business solution. The sooner you’re compliant and audited, the sooner you’ll open a new client base to your sales team.

That’s not even mentioning your situation if you’re a vendor yourself. If one of your client’s clients requires SOC 2 compliance, that creates a domino effect in that your client will require it, which means that you’ll also need certification.

SOC 2 is a universally recognized standard

SOC 2 isn’t some backyard certification that only two people have heard of. Any and all B2B software vendors need to be SOC 2 compliant sooner or later, meaning that the vast majority of clients will know what it is and what it means.

Instead of having to go over all of your security measures with each and every client to assure them that their data is safe with you, all you need to say is “yes, we’re SOC 2 compliant”.

No more multi-sheet excel workbooks your IT team needs to use to respond in detail to every sale - one little certification and you’re good to go!

Your potential bookings will grow

Remember what I said about SOC 2 being required for some clients to consider doing business with you? Well, with those clients come massive potential to increase your revenue!

You’re not just raising your standards for new clients either - even prospects who don’t require SOC 2 compliance will have more confidence in you as a solution if they know that you have rock-solid security procedures. As such it makes you more attractive even to clients you were already marketing to!

Warnings against SOC 2 compliance

SOC 2 compliance isn’t all positive though - there are a few aspects that you should carefully consider before deciding whether or not to commit to an audit.

  • SOC audits are expensive and very time consuming
  • Your vendors also need SOC 2 compliance
  • Your clients might not need SOC 2 compliance
  • You could end up with the wrong SOC audit

SOC audits are expensive and very time consuming

A woman holds fake dollar bills on fire in front of her face.
Source by Jp Valery, image in the public domain

SOC 1 and 2 audits don’t come cheap. Both have to be performed by an accredited professional and neither (especially SOC 2) can be carried out without affecting your regular operations.

In other words, you’re not just paying upwards of $40,000 for a (mandatory) readiness assessment and a SOC 2 Type I audit (the cheapest type of SOC 2 audit). You’re paying far more in lost productivity, legal costs, and so on.

That’s not even mentioning how long these audits can take!

Risk Crew estimates that a SOC 2 Type I audit will take roughly 7 months from the point of deciding you need one to receiving the certification. Type II will likely take another 12 months on top of that, meaning you’re looking at over a year and a half of time before you can get certified.

In short, you have to plan well in advance for when you’ll need SOC 2 compliance.

Your vendors also need SOC 2 compliance

There’s no point in locking your gate if thieves can just step over it. In the same sense, if your vendors aren’t SOC 2 compliant then they’ll be flagged as a weakness in your system. You’ll still get certified, but the auditor’s letter in your SOC 2 report will reveal their concerns about your vendors’ security.

The only way to get certified while also using vendors that aren’t is to effectively perform a SOC 2 audit yourself in so much as making sure that vendors use the same methods as your own company to secure everything.

But that’s not the worst of it!

You might think that the solution to one of your vendors lacking SOC 2 certification would be to switch to a competitor who does have it.

It’s not as simple as that.

Remember that your vendors (or, at least, the ones who have access to your client data and thus need SOC 2 compliance) likely directly integrate into your software platform. You can’t just switch vendors to one that’s already SOC 2 compliant with a couple of clicks - it’s a massive undertaking that cuts into your ability to deliver customer-facing features and functionality.

There’s no easy solution. Either you bite the bullet and start untangling yourself from your current (non compliant) vendors, or you do a full vendor audit on every vendor who lacks SOC 2 compliance.

Your clients might not need SOC 2 compliance

There are three possibilities here; your client might be misinformed and not need SOC 2 compliance (or SOC compliance in general), they might be using it as an excuse not to buy what you’re selling, or your team could be prioritizing compliance before you actually need it.

If it’s the first, there’s not much you can do. A client asking for SOC 2 compliance certification has to be taken seriously, as trying to argue why you don’t need it will waste both of your time and probably aggravate them. Not to mention the potential of them turning around and asking you to fill out a nightmare of a security policy instead.

If it’s the second, it’s painful but no matter which way you look at it they’re a lost sale. They’re hard to separate from those who genuinely need you to be compliant (because they won’t admit to it being an excuse), but you equally can’t do anything to convince them as even becoming compliant won’t solve their resistance to buying.

Your team could also be jumping ahead and trying to prioritize compliance before your prospects actually start asking for it. While it’s good to plan ahead (especially with how long SOC 2 audits take), the investment in an audit shouldn’t be taken lightly if your clients aren’t even asking for it.

You could end up with the wrong SOC audit

Online SOC documentation is terrible. It’s one of the reasons we’re writing this very post. As a result, it’s entirely possible that you and your clients are misinformed about whether you need to be SOC 2 compliant.

Are you 100% certain that you need to be SOC 2 compliant and not SOC 1? How about Type I or Type II of SOC 1 or 2? How do you know you need any certification?

Thankfully, we’re here to help…

Who needs SOC 2 compliance?

A person sits in front of a laptop computer displaying a series of charts and graphs on the screen. They hold a cell phone in both hands. Behind is a messy office scene with lots of papers, binders and storage boxes.
Source by Shift F7, image used under license CC BY 3.0

As stated above, SOC documentation is a mess of confusing, contradictory descriptions and details, so let’s address this question as broadly as possible, then focus on the details.

If you’re a B2B software vendor of any kind, you should consider SOC 2 compliance sooner or later. The timing varies depending on the type and amount of data you gather, and what kind of clients you take on.

The more data you gather and the more sensitive that data is, the sooner you’ll be required by your clients to get certified. The same is true of larger clients - enterprise customers will need greater security measures and reassurances in place to put their trust in your product.

More specifically, here are the most common reasons you’d need to have a SOC 2 audit:

  • You’re a SaaS (Software as a Service) company or a managed IT and security service provider
  • You provide business intelligence, analytics, and management services
  • You oversee, facilitate, or consult with finances or accounting practices
  • You provide client-facing services such as customer management

Basically, if you store, process, or transmit any business client information, you’ll need SOC 2 certification sooner or later.

When to have a SOC 2 audit

Knowing when to have a SOC 2 audit is difficult, as it largely depends on the amount and type of data you’re handling, and the size of your clients.

However, due to the amount of time and money it takes to perform a SOC 2 audit, you should be trying to become compliant and have one performed as soon as possible. After all, while you might not need to be certified now, you’ll certainly need to be at some point, and it’s better to take care of it when you can handle the effect it will have on your operations instead of planning it last minute.

You can make this easier by starting out with a SOC 2 Type I audit first, since these are much cheaper and take less than half the time. Remember:

  • Type I: A SOC 1 or 2 audit of a particular point in time - a snapshot saying that you were compliant at the time
  • Type II: A SOC 1 or 2 audit over a period of time, usually 1 year - this gives more confidence in the ongoing validity of your security measures

Type II audits start by having a Type I audit performed anyway, so there’s no reason not to get the ball rolling even if you’re not committed to a full Type II audit. You can always stop after Type I if your situation changes and you don’t have the time or money for the full Type II.

In short, unless you’re on a shoestring budget or you handle zero client data, there’s no reason not to get started with SOC 2 compliance right now.

Engineering Concepts for CFOs