Richard Porter: Hello, I’m Richard Porter. Today we’ll be taking a closer look at third party confidence. I’m joined by Fiona Davis who leads our Third Party Assurance Services in the London region and David Woerndl who leads the equivalent in the Financial Services sector.
We’re going to discuss the concept of SOC2 in relation to critical service providers.
Before we get in to the specifics of SOC2 David maybe you can tell us about some of the trends we’re seeing in the financial services sector that are relevant to this topic.
David Woerndl: Yeah I’d love to Richard. So in financial services the regulator is focused on three keys areas and that’s the regulator both in the UK and globally and the areas of focus are around non-financial risk and the three areas are technology resilience, cyber security and outsourcing and the market is moving to really understand, as you outsource key components of your business process or your data, who is keeping your promises? And there’s a real demand now for an assurance standard that talks of those key risks and SOC2 does that.
Richard Porter: So Fiona what is SOC2 for those that aren’t familiar with it?
Fiona Davis: Well Richard I think it’s important to start with what that acronym itself means and it is: Service Organisation Controls reporting, and what that is it’s a framework used to provide management of the service organisation and its use or entities or related parties with information and an independent auditor’s opinion on non-financial information related to five key areas known as trust service principles and these are security, availability, confidentiality, processing integrity and last but no means least, privacy and each of these are then in turn underpinned by much more detailed criteria.
So it appears like it’s a very formalised and structured framework in relation to, in comparison with many others but it is indeed flexible as well in that organisations can select those principles most applicable to their business model.
Richard Porter: Ok. So David we see a lot of other standards out there. Why is SOC2 coming to the forefront for many organisations?
David Woerndl: You’re right Richard. I mean over the last few years we’ve seen a number of different standards and frameworks introduced into the marketplace. You know from ISO 27001 that speaks to information security to NIST and Cyber Essentials which are much more focused on cyber security threats and I think you know those standards and those frameworks are fairly narrow in terms of what they look at. SOC2 has much more breadth and depth in the areas that Fiona has mentioned previously, and what that allows us to do is go much deeper into those areas and report more consistently across that framework because the controls that are suggested within the SOC2 framework are already there and speak to all those different areas.
Richard Porter: So David I can understand the rationale for financial services. Maybe Fiona you could allude to why this is relevant to other sectors outside of financial services?
David Woerndl: Well Richard I think it’s important to note that firstly it is very much linked to the points that David said at the beginning, that pull factor from the financial services industry but we can see that as a result of that it’s applicable across all industries, irrespective of the size of organisation. So where we’ve seeing this for example is across the legal sector, across those typical service providers such as data centres, or software service provider and I would say that the momentum that we’ve seen it’s very much reflected that we’ve reached a tipping point as quite frankly Richard nobody wants to be the front page of tomorrow’s news in relation to data leakage or outage and a SOC2 report very much provides that medium which they can demonstrate that resilience.
Richard Porter: So are we seeing any particular potential scenarios at clients that are evolving around the topic?
Fiona Davis: I would say there’s probably three key areas for me. Firstly where it’s becoming a prerequisite for suppliers to secure key contracts, so a bit of a ‘license to operate’, and quite often they require a quick turnaround for this which can present challenges in itself.
Secondly for suppliers themselves it’s seen as the preferred option because quite frankly nobody likes to be inundated with audits as a result of organisations invoking their right to audit and indeed to avoid those many questionnaires that come up fast and furiously.
I think my final point would be in relation to the fast growth sector. We’re seeing this being used very much as a medium to demonstrate proof of concept in areas such as FinTech, for example, where they’re trying to create that trust with their end user. So to sum that up Richard, I think what was very much considered a ‘nice-to-have’ in the past, is very much now considered as a ‘much-have’ and SOC2 is paving the way for that.
Richard Porter: Ok so I can see some benefits coming out of that. David are you able to elaborate a bit more about some of the benefits you’re seeing with the companies you’re working with, for example?
David Woerndl: Yeah I mean, I think there’s probably several more that I would like to highlight. So I mean one is around confidence and the confidence that these reports can create, so that’s confidence with your current customers and with your future and prospective customers. So it’s a really useful commercial tool to have one of these reports. It can also act as a brand enhancing moment as you’re able to much better demonstrate, you know, trust and transparency over your operations.
I think in addition, you know, if you have a control environment in your organisation that’s perhaps less mature, it provides an independent lens into that control environment and can help management really focus on areas that need to be strengthened. And finally I think it provides a track record. So because these reports are generally distributed on a six month or annual cycle, it provides that track record to the market that articulates how you’ve been doing against operational resilience requirements over a period of time.
Richard Porter: Ok. So finally if there were a couple of tips that both of you would be making to companies that are either being asked for one of these reports or are thinking about embarking on one, Fiona what would your tip be?
Fiona Davis: For me Richard I think the number one tip is do not underestimate the amount of time these processes take, from that decision point of embarking upon one until you have that final report, so start early to avoid any surprises down the line.
Richard Porter: Ok, and David finally?
David Woerndl: Well I think if you haven’t been asked for a SOC2 already then it’s likely that it’s only a matter of time and the trick here is engage with your customers early, really understand their requirements and think about what kind of reporting timeframe is going to work for all parties.
Richard Porter: Great. Thank you David, thank you Fiona. I hope that’s given people some food for thought and some insights.
So, we can clearly see a continued growth in the demand for SOC2 and many will no doubt welcome the structure and basis of comparability that it provides. We also know that the framework is evolving and revisions are expected later in 2016.
We’ll pick this up with you along with other related topics over the coming months.
Thank you for joining us today and we’ll see you again soon for the next of our third party confidence discussions. Goodbye.