WHAT IS IT: Developed by the AICPA, a System and Organization Controls SOC 2 is a technical audit that reports if an organization manages data securely and compliant with requirements.
WHO THIS AFFECTS: Service providers storing and managing customer data and those their clients. Reputation is key for brand reputation, and a decrease in brand equity impacts business stability.
WHAT IS NEW: SOC® 2 reports now require enhanced internal controls and transparency to face increasing cybersecurity risks that impact business operations.
WHAT ARE THE CHANGES:
- Trust Services Principles and Criteria is now Trust Services Criteria
- TSP ‘principles’ (security, availability, processing integrity, confidentiality and privacy) are now referred to as Trust Services Categories to help bring better alignment with COSO framework and minimize confusion.
- Added criteria to address cybersecurity risks, fraud risk assessments, and risks related to vendors and business partners, increasing the seven SOC 2 common criteria to nine.
WHY THIS IS IMPORTANT: Organizations that manage customer data with periods ending after December 15, 2018 must have these SOC 2 updates implemented. The updates reflect more controls to be considered and incorporated, which entities must plan for accordingly in resources and timing. Overall, the SOC 2 initiative improves corporate oversight, vendor management and third-party relationships, and risk management.