Independent security reporting through SOC 2 is critical to the protection of sensitive data. Rich Sowalsky, CISA, senior manager with Baker Tilly Virchow & Krause LLP’s Risk, Internal Audit, and Cybersecurity Group in Philadelphia, discusses SOC 2 Trust Services Criteria and high-level ways service organizations and CPAs can enhance a control environment. Sowalsky will speak at greater length at PICPA’s 2019 Insurance Conference, Dec. 4-5 at Penn State Great Valley in Malvern, Pa.
By: Jim DeLuccia, Manager, Learning Content
Security preparedness is required within and across companies, and it's no less critical for CPAs working with, or for, insurance companies. Independent security reporting through SOC 2 is critical to the protection of sensitive data, which is why I'm joined right now by Rich Sowalsky, who is a certified information security auditor, or CISA, and senior manager with Baker Tilly Virchow Krause LLP, in Philadelphia in the risk, internal audit, and cybersecurity group. Rich will speak at greater length on this subject at PICPA’s 2019 Insurance Conference, which is Dec. 4 and 5 at Penn State Great Valley in Malvern.
Rich, thanks so much for joining me today for this in person interview of CPA conversations.
[Sowalsky] Yeah, of course. Thanks for having me Jim.
I think it might be a good idea to start with a refresher here. What exactly are SOC 2 reports?
[Sowalsky] Good idea. SOC in general, if we just talk about that, are system and organization control reports. These are reports on controls at a service organization that are relevant to user entities internal controls. When we say service organization, think about a third party who's taking data from point A and processing that data to point B. And when we say user entities, we're talking about the recipients of those processing services. A great example of a service organization is, think about a claims processor or a third party administrator, a TPA. There's two primary types of SOC reports, there's SOC 1 and SOC 2 which is the one I'm going to be talking about. SOC 1 reports on controls that are relevant to a user entities controls over financial reporting – I would guess that most CPAs or a lot of CPAs – have some familiarity with SOC 1 reports, whether it's direct or indirect.
SOC 2 is a little different where it reports for service organizations on nonfinancial reporting controls that are relevant to a certain set of trust services criteria. We refer to those as the TSCs to make it a little easier to say.
Right. Always a lot of acronyms, right?
[Sowalsky] Yes. TSC's a little shorter and a little easier. The TSCs are comprised of criteria ranging from security, availability, processing integrity, confidentiality, and privacy. These TSCs are prescribed by the AICPA and it's up to the service organization and the CPA practitioners working to perform the SOC 2 to determine which TSCs makes sense for that service organization to actually report on it, report against the criteria. Basically everyone's doing security, because that's what everyone cares about: data security.
[Sowalsky] And then based on the type of service organization and what industry they report in or they sit in, that's when we determine are there any other TSCs that make sense to report on? So example of that, if you're a data center provider, you're going to obviously report on security, but you also want availability because it's critical that your systems are available at all times. If you're familiar with SOC 1’s, think of the TSC criteria, like the control objectives that we have in SOC 1's with the difference being SOC 1 control objectives are established based on what's relevant for the service organization in the industry they operate in, in order to provide reasonable assurance over user entities, controls over financial reporting. Whereas, as I said, the TSCs are pre-established by the AICPA for every SOC 2 regardless of the industry they sit in. So SOC 2's criteria is going to be consistent for every single examination. In SOC 1 we typically have control objectives over operational and financial areas and some high level ITGC control objectives. SOC 2 is much deeper on controls over data security and not reporting on anything related to ICFR.
Okay, that's great Rich. So now that you've laid that out and I think I can kind of see where this is going a little bit as we're talking about insurance companies. Why is SOC 2 so critical for CPAs working with, or for, insurance companies, or just working in the insurance industry?
[Sowalsky] As I mentioned, SOC 2 aims to provide assurance over data security processing controls. So obviously data security is a very critical priority these days for any industries handling sensitive or valuable data. And I would think most of the CPAs out there in the insurance space know just how essential the data that's being processed through insurance companies is and data like insurance information and medical data and claims process, claims data and PII and PHI and all that stuff. It's among, if not the most, targeted data on the black market. The importance of the security over insurance data kind of speaks for itself. But if we dig in deeper there, there's a lot of elements to the SOC 2 that stand out. And within that SOC 2 criteria or guidance, which they update regularly. There's a large emphasis now on vendor management.
They're asking how do service organizations manage their own third party sub service providers and fourth party sub service providers and so on. If we think about insurance companies particularly, they're very complex organizations, there's a lot of moving parts there that are required to run the operations properly. There's tremendous amount of vendors and downstream sub-service providers that insurance organizations rely on in order for their user entity controls in operations in general to operate effectively. If you think about something like a cloud provider’s hosting systems or security monitoring services or on the operations side, claims processing services, underwriting, actuarial services, billing, etc., all these different types of services. These are all things that are often outsourced to third-party service providers. And those third-party service providers are now vendors. We're very concerned about how those vendors are managing their data and securing their data.
There's often a significant amount of vendors within these insurance organizations that are relying on their third parties to ensure that user entity controls are operating. But on top of that, they're also given a lot of access into the service organization's environment. That's why vendor management is so critical because now the vendors have access into service organizations’ environments. So if the vendor gets breached, it's not just if the insurance company gets breached, if their vendor gets breached, well now they can just wither their way through into the service organization's environment and now you have a big security problem or on the other side of that, if you have a weak vendor, a poor vendor in general, and they're not holding up their end of the bargain, you're going to have a lot of operations fall out there.
And then the flip side of that, you also have a lot of instances where the insurance company is that critical third party vendor or third party service organization. You think about companies that, as I mentioned, claims processors or TPAs or pharmaceutical benefit managers, those are all third party service processors that are processing and maintaining a tremendous amount of critical and confidential and valuable data for user entities. The security of that data is critical. There's a strong emphasis within SOC 2 on how our service organization's monitoring the adequacy of their vendors who have access and how are they maintaining their vendors and do they have a program in place to actually assess their vendors to determine that yes, these are reputable vendors and they're holding up their end of the bargains and we're not just giving the access and relying on controls to operate to anyone. So from both ends of the spectrum, whether your insurance companies that are requiring SOC 2's from your vendors or your insurance company who are the vendor and you need to show that you have effective controls over security, CPA should really be emphasizing SOC 2 in order to gain comfort over protecting their critical data.
Understood. What's one insight on the latest SOC 2 trust services criteria. the TSC's that you talked about, that you can share with our CPA audience? What's one example there or insight that you've gleaned?
[Sowalsky] One interesting thing about the new TSCs, and it feels like every year there's new TSCs, is that a big chunk of the security criteria which referred to as common criteria because everyone gets criteria. A lot of the criteria in there now is tied to the latest COSO principles, so COSO being the framework for sound company level internal controls. They directly tie that in now with an emphasis on data security through COSO. So particularly if we think about some of the COSO principles like monitoring activities and control environment and risk assessment, they're all in that COSO block, those are pulled directly into the SOC 2 criteria now, which is interesting because what we're finding is that a lot of organizations are not as strong in those areas as they thought they were or as we might've expected them to be.
Some of the criteria like governance and monitoring and entity level controls, when we start assessing those principles in relation to internal controls over data security, we find that there's some gaps there. Some criteria, it's as simple as, have you actually assigned an individual who is responsible for information security and do you have a formalized org. chart showing that those roles and responsibilities over information security are being properly filled. And again with these, especially with small to medium size organizations and insurance companies, we're seeing that there's actually gaps there and these roles aren't formalized. And then some other COSO criteria like ensuring that the board of directors or audit committees are actively engaged in cybersecurity initiatives and risk within the organizations, those are now considerations within the actual SOC 2 criteria.
And again, we're finding that a lot of organizations are lacking coverage there, which is interesting and some other COSO areas just like removing some of the data security components like ethics violations, do you have a mechanism for reporting ethics violations and someone who's responsible for responding to those complaints or reporting security incidents? Again, areas that we're seeing gaps in just from the addition of COSO principles into the new SOC 2 criteria. And same for the SOC for cyber even more so because it goes deeper down the rabbit hole of information security oversight. A lot of organizations are struggling with meeting that or they're racing to implement them as we come in and perform a readiness on the new criteria.
Rich, can you share a few high level ways on how a service organization and/or a CPA can enhance the control environment or business operations through SOC 2?
[Sowalsky] There's definitely a number of ways to do that and definitely will be hitting upon that in the Dec. 5 presentation in Malvern. I think the most upfront answer to that or the most direct answer is being SOC 2 compliant is inherently going to attract more business for you as a service organization. A lot of times its demand is being driven from prospective customers or existing customers who are essentially the user entities who are saying, you're contractually required now to show us that you have effective internal controls over data security. Those are being written into contracts or into RFPs saying if you want to do business with us, you need to be SOC 2 compliant. That's an attractive tool for generating new business for obvious reasons.
Another under the radar benefit I would say of SOC 2, it's not as extreme as getting tons of new business, but it's definitely something that I've picked up at our clients is that a lot of the, call them compliance business owners, they appreciate SOC 2 because it saves them a lot of time not having to go through those security questionnaires that they often get for new clients or vendors. When they're trying to sign new business partners or bring on new vendors either way, whether they're the vendor or they're bringing on a new vendor, most organizations or sound organizations, they require one or both of these parties to fill out these long questionnaires asking do you have security controls. And they're super long and you're going through all these checklists and most of the answers to those questions are reported in the SOC 2.
They no longer have to go through hours of time checking these boxes and reaching out to all these different information security business owners that they don't know and getting detailed descriptions about their firewalls and blah, blah, blah. They basically check one box that says, yes, we have a SOC 2, all your answers are in there, here you go. So it saves them a tremendous amount of time and hassle just from a due diligence standpoint of bringing on new business, which again, not as extreme as driving millions of dollars to new business, but you think about it from an opportunity cost standpoint, it's going to save a lot of time for you and it saves a lot of time for these business owners and they appreciate not having to go through those questionnaires.
That's very interesting. And finally, Rich, what's one way to develop new or expanded annuity services and how does SOC 2 relate to this?
[Sowalsky] Yes, that's a good question. One growing trend that, well, there's a number of ways to do that and I think we'll get into that as well in the presentation. But one of the growing trends that we're seeing is around, it's called SOC 2+. SOC 2 as we know it now requires us to report on service organizations, internal controls that are in place to meet those TSCs to provide reasonable assurance of meeting service commitments and system requirements. Just because we're required to report against the TSCs, doesn't actually mean that we're limited to only that criteria. There's some flexibility in that with how we present the SOC 2 reports. So SOC 2+ brings in options to test and report against additional criteria or even certain frameworks, if you will. So in the insurance space, we're seeing a lot of demand for SOC 2+, HITRUST or SOC 2 plus HIPAA.
If you're a covered entity that’s required to comply with HIPAA and protect the PHI of your members, we can actually go in and perform a SOC 2 examination, test the SOC 2 criteria, and then add on the HIPAA security rule or the HIPAA privacy rule into our report and testing. There's a section five in SOC reports, which is other information. It basically allows you to provide any other information that's relevant to user entities. This qualifies as that. We find with HIPAA and adding HIPAA and HITRUST or the NIST CSF or some of these other criteria or frameworks, there's a lot of repetition between what's required in the SOC 2 and what's required in these other criteria. Because at the end of the day, data security is uniform and there's nuances to all these different areas. But for the most part the data security industry is on the same board with that stuff.
So there's a lot of repetition in order to become SOC 2 compliant versus HIPAA compliant, which is great for the CPA practitioners and for the service organizations because it becomes pretty efficient to do that. We don't need to go and test all the SOC 2 criteria and then test all the HIPAA security rule separately on top of that. We have this concept of test once, report twice. We add on the criteria or we do additional testing on the criteria, the additional criteria that it's only unique to the criteria not addressing the SOC 2. The criteria that has crossover, we're going to test and report once basically. And then on top of that we'll test and report on the additional criteria not already covered.
And because there's so much duplication, it's not that intensive of an additional process. Whereas you would think, it's not like you're doubling the process, which is nice and saves some time and efficiency for both parties. It's a great add on for CPA practitioners trying to expand their annuity services and it's also great for the insurance service organizations who may now not need to go through an entirely separate HIPAA or HITRUST or a NIST CSF audit that they may have gone through otherwise. So what we can do is we just layer on to the existing SOC 2 examination and I think it adds value for the service organization and it's also a nice add on to be able to provide services by the CPA practitioners.
That SOC 2+. That's interesting.
[Sowalsky] Yeah, fairly new concept, but we're seeing a lot of demand for it because of obviously the increase in data security and just the spike in SOC 2 demand coupled with the spike in HIPAA demand because of the constant breaches or the spike in HITRUST demand because of the breaches in healthcare. It's an interesting, nice little package that we can offer.