Common Vendor Information Security Questions Related to Cybersecurity and SOC Reports

It’s National Cybersecurity Awareness Month, and it’s important to carry over the lessons learned into our everyday practices. We’ve gathered a collection of some of our most frequently asked vendor information security questions, with an emphasis on SOC and cybersecurity challenges.

FAQs: SOC Reports, Complementary User Entity Controls (CUECs) and Trust Services Criteria

The following are common questions we’ve received and we hope you’ll find the responses valuable:

Q1: How often should I ask vendors for a SOC report?

Answer: Our rule of thumb is to always request the most current and they should be available to you 3-6 months AFTER the end date of the reporting period. For example, if a report covers January 1, 2020 through December 31, 2021, you should be looking to see that report available to you by June of 2021. Ideally, ongoing monitoring should really be done annually depending on the criticality and risk of your vendor.

Q2: How do I assess the quality of SOC reports?

Answer: This is a really difficult, but great, question. Ultimately, the short answer is that you want to make sure a SOC is performed by a reputable company and that the system description and controls audited make sense for the product or service they provide to you and are thorough enough to meet your due diligence needs and expectations.

Q3: I've heard and read many times that SOC 1 reports are to be reviewed when the vendor impacts or can impact your financial statements. Can you expand on what it means to be impactful? Does this mean that the vendor’s work goes into preparing them? For example, what if a vendor assists with the organization’s accounting? Or, does “impacting” refer to the vendor’s activities that are critical, where failure could affect the financial statements?

Answer: When talking about impacts to internal controls over financial reporting, SOC 1s are intended for organizations which could impact your financial statements. This includes vendors such as those doing input->processing->output activities where the inputs and or outputs are gathered from and/or for and sent to you. Controls such as those would impact your financial statements for vendors such as online banking, banking core systems, check processing, card processing, and many others if they were not functioning properly. The Public Company Accounting Oversight Board (PCAOB) also includes data centers for review of SOC 1s likely due to the impact that such an organization would have to your organization if they were to cease operations or become unavailable. 

Q4: Next year we’ll be undergoing a SOC 1 audit and will be responsible for reviewing the SOC reports of our third parties that are in scope and how they relate to the services they are providing to us. Any guidance on this or templates that can be used to show our diligence in reviewing the third party SOC reports?

Answer: This would be a great question for your chosen audit firm, as a good audit partner is there for you not just during the audit, but in preparing for it as well. This is another reason why having a readiness assessment is a great thing to do prior to your first SOC audit, as your audit partner will guide you through control design and what evidence they'll be looking for once your audit period begins. That said, in this context two of the areas you'll want to focus on are your vendor's complementary user entity controls (CUECs) and how you're satisfying the applicable ones and understanding what critical controls you rely on your vendors to perform on your behalf that are in scope of the SOC audit, complementary subservice organization controls and that your vendor didn’t have any exceptions, especially around those controls.

Q5: In reviewing SOC 2 CUECs, should you review ALL the CUECs, including any additional specific criteria for availability (A), processing integrity (PI), confidentiality (C) and privacy categories (P) on the report, or just the common criteria (CC)?

Answer: Since CUECs are controls your vendor is expecting you to implement within your organization and complement the controls at the vendor, I would definitely review both the ones listed for the Common Criteria as well as for any additional specific criteria. You can then eliminate any that don't specifically apply to your use of the vendor product or service or you as an organization. Generally speaking, we recommend the following high level steps when approaching CUECs:

• • Review the CUECs and their associated control objectives to ensure context is understood
  • Determine which CUECs apply to you as not all will always apply
  • Assign each CUEC to a person/team/role for responsibility
  • Determine which CUECs you are already addressing
  • Address each applicable remaining CUEC
  • Record how each CUEC is addressed
  • Assess CUECs with each new SOC report or with any significant internal changes

Q6: Have you ever seen a SOC report that did NOT include CUECs? What do you do?

Answer: Yes, SOCs can definitely not have CUECs. That being said, you should see a statement within the SOC that say CUECs aren't required for the operating effectiveness of the controls. If that statement is present, no further action is required on your part (except to document that!). If you don’t see any mention of CUECs or the aforementioned statement, a quick follow up with the vendor would be recommended to confirm whether CUECs aren’t required.

Q7: What can you do if your vendor is unable to provide the SOC report to you for their subservice organization (fourth party)?

Answer: It can be tricky getting these sometimes. We suggest seeing if you can sign an NDA with that subservice organization. You might also want to understand why they won’t provide it. Do they not have one? Does your vendor not conduct vendor due diligence? That would be another problem all on its own. But, usually it’s because their vendor doesn’t want them to divulge their confidential information. In that case, try to get assurance in other ways – (i.e., ask for their assessment of that vendor with redacted details, if needed). Really, you want to rely on your vendors’ TPRM program to facilitate mitigating vendor risks.

Q8: How do you know which of the 5 Trust Services Criteria a vendor's SOC 2 covers?

Answer: It will be clearly defined in the organization’s letter (attestation) in the beginning of the SOC report. It should also be in the letter (attestation) from the audit firm, generally in the first paragraph. It’s also usually listed in section four where testing is documented but it’s easier to find it quickly in the letters.

Q9: Are all 5 Trust Services Criteria required in every SOC 1 or SOC 2?

Answer: No, they can pick and choose but they have to at least do security. Security is the only mandatory Trust Services Criteria (TSC). So, if they decide to only do one TSC, it has to be security.

Q10: If a vendor will not provide their policies and reports, is it acceptable to obtain a certification that states they adhere to a set of security standards?

Answer: It’s not ideal, but this really depends on the risk the vendor brings to your organization and what you are willing to accept. Ideally, you want to see demonstrable evidence that policies exist. Certifications that they have met a security standard are a great step, and also assist in demonstrating an organization’s control maturity. Ultimately, you want to be able to see evidence of how they met those standards, so SOC reports (which provide actual control testing detail), penetration testing and policy execution are more desirable.

FAQs: Cybersecurity Assessments, Data Breaches and Cyber Insurance

Q11: Do vendors have a defined cybersecurity plan documents or is it a collaboration of several documents?

Answer: That varies from organization to organization. Some organizations believe everything should be in a single document. If the vendor is willing to share that with you, you can paint a picture of just how secure the organization is and you can then determine if you need to drill down further. They may be an organization that has the one-page policy rather than several smaller policies. In this instance you will have to ask for all the pertinent policies.

Q12: What entails a cybersecurity assessment for a vendor? Is it a review of their information security documents or a risk assessment?

Answer: A cybersecurity assessment should really start with a risk assessment to determine what level of cyber assessment each level of vendor needs. Once you determine who to assess, you can focus on the “what”. This should include document review, interview, etc. with a focus on the following areas:

• • Security testing
  • Sensitive data security
  • Employee, contractor and vendor management
  • Incident detection and response

Q13: Can you share the steps our organization should perform once a vendor breach has been discovered and/or reported from a TPRM standpoint? The right to audit is in place in our contracts, but we’re looking for specific suggestions for due diligence on our end during these scenarios. Should we request an incident report, go through the entire risk assessment again, or request specific items, if it has been determined that our company data has been compromised?

Answer: You're on the right track. As long as their risk assessment is current and the vendor can assure that the appropriate due diligence was conducted, you won't need to restart a risk assessment. However, if either of those isn’t true, start one immediately. Definitely prioritize "assessing" the damage because you'll want to find out if any company data has been compromised as soon as possible. Get a report from the vendor with as much detail as possible. Check the contract for anything that has to do with response and reporting on their end. Report the incident to the business internally and any other security/risk stakeholders, as appropriate. Remember that while TPRM is a great source for gathering and reporting risk information, the risk is OWNED by the line of business who signed the contract. They should be the primary point person for this process. Depending on the scope of the breach and how your organization is setup, the issue may be passed off entirely to an incident response team, compliance, legal or risk. Keep track of progress in your vendor record, and what steps are conducted to manage containment of any damage. Finally, you'll want to circle back on the risk assessment process and document any lessons learned.

Q14: Do you have a specific requirement for vendors to carry cybersecurity insurance ?

Answer: It’s highly advisable to require your vendors to carry cyber insurance when they provide products or services where they access, process, transfer or store personally identifiable information (PII) data. They should carry cyber insurance as a separate policy from general liability or professional liability insurances. You may wish to have the vendor add your organization as an additional insured entity in some cases. Remember that insurance coverage can be a highly complex issue. It’s advisable to either consult your organization's legal team or insurance provider for more advice.

Q15: Contracts will typically include breach language, but not incident notification language. How are incidents defined?

Answer: Incidents can be a multitude of things. Ideally you want there to be language that allows for you to be notified in a timely manner of any type of incident that impacts your (or your customers data).

Q16: What is social engineering testing?

Answer: Social engineering (SE) is generally defined as when someone with nefarious intent uses manipulation, influence or deception to gain control over or access to your computer system. This can be done by phone, email, snail mail or direct. When we talk about encouraging you to ensure your vendors are doing SE testing, you want to look for regular phishing campaigns combined with follow up awareness training and tracking.

Q17: If a vendor doesn't have parts of an incident management policy documented, is it appropriate to ask to put in contracts?

Answer: Yes! Incident management is very important for organizations, especially those storing/processing PII. Contractually, it's common to see breach notification timelines and contacts outlined, as well as the right to assess the vendor, enabling you to gather the control verification you need, depending on the risks posed.

Q18: What dollar amount should cyber insurance coverage be?

Answer: This is variable and depends on the expected financial loss you could expect from a breach or incident. Though this can vary greatly, a good place to start is with a business impact analysis. We often see $5 million as a standard requirement from our larger clients.

Q19: What type of cybersecurity related controls should we be looking for when evaluating a third-party business continuity program?

Answer: At a high level, we're really looking to see if they have the following:

• Formal business continuity (BC) plan
• Ongoing maintenance
• Dedicated team or individual
• Updated after significant organization changes
• Personnel recovery to normal operations
• Pandemic plans
• Client/regulator breach and incident notification
• Annual business continuity plan AND disaster recovery testing
• Regularly updated business impact analysis
• Defined recovery time objectives (RTO)/recovery point objectives (RPO)
• Backup procedures – defined and tested

Cybersecurity risk is a constant threat in today’s business world, so it’s critical to ensure that your vendor’s information security practices are well developed to protect your organization’s data.