Trust, but Verify: What to Look for in Your Third-party Vendors’ SOC Report

More and more community financial institutions are turning to third-party vendors for expertise, services and IT support. These relationships help community banks and credit unions streamline processes and offer more services to their customers and members. However, working with third-party providers can also open the institution to security risks. To ensure outsourced activities are completed in a safe and compliant manner, community financial institutions must perform comprehensive due diligence prior to entering into an agreement with an outsourced provider.

The due diligence process includes reviewing and assessing the vendor’s financial health; assessing the vendor’s knowledge and familiarity with the financial services industry and banking regulations; and verifying that information security controls are in place as well as the vendor’s ability to recover from breaches or disasters.

One of the strongest tools to help financial institutions perform due diligence is the System and Organization Controls (SOC) 2 report, designed to report on controls that are relevant to the security, availability and processing integrity of the systems used by service organizations. This is essentially a knowledgeable, qualified, and unbiased third-party auditor performing a deep review of the vendor’s policies, procedures, and practices, and then issuing a formal opinion that the vendor’s controls are adequate. In other words, a financial institution isn’t just taking the vendor’s word at face value because it has someone else confirming the vendor’s assertions. The strength of the SOC report comes from the fact that the vendor does not have the ultimate authority on the content and opinions of the report.

Since an audit report is such a strong control, it is often one of the first things a bank will seek from any potential vendor. As part of the vendor management process, financial institutions must actively review the reports, understand them and document that they adequately address all concerns.

Understanding the SOC 2 Report

There are seven critical elements financial institutions should look for in every SOC 2 report.

1. Products and Services – Does the report address the products and services you’ve contracted for?
2. Criteria – Which of the 5 Trust Services Criteria (privacy, security, confidentiality, availability and data integrity) are included in the report?
3. End-user Considerations/Controls – Does the report contain specific actions that must be taken by the end-user?
4. Sub-service Providers – Does the report cover (inclusive) or exclude (carve-out) the subcontractors (subservice providers) of the vendor?
5. Type I or Type II – Does the report address the suitability and effectiveness of the controls (Type II), or only the suitability of controls (Type I)? A Type II report is more comprehensive and considered much stronger than a Type I.
6. Auditor Exceptions – Is the report “clean?” Does it contain any material exceptions?
7. Report Date – The date of the report should be within 12-18 months of the current date.

While there is nothing in regulatory guidance stating financial institutions must obtain a SOC 2 report from a vendor before entering into an agreement, it is a good step to take to ensure a solid vendor management program. With the increased use of vendors, paired with a recent uptick in cybersecurity incidents, financial institutions must conduct due diligence on all vendors to ensure they are addressing security gaps. Reviewing the provider’s SOC 2 report can provide that extra level of assurance and protection.
For more information, download our white paper, Managing Risk with Truly Secure Vendor Management Program.