Updated with corrections.

When vetting third-party providers, especially those who will have access to participant data and information, it is important that plan sponsors conduct proper due diligence, which includes asking the right questions and requesting the right information.

More specifically, one key aspect of ensuring that service providers are up to par with their cybersecurity policies is requesting a service organization control, or SOC, report from the provider.

A SOC report is a third-party assessment of an organization’s ability to protect data and implement controls. However, there are different types of SOC reports, and Jon Atchison, senior team lead on CAPTRUST’s governance, risk and compliance team, says while people tend to use the different names interchangeably, they are very different animals.

First, a SOC 1 report covers internal controls for financial statements and reporting. Atchison says there may be a small amount of information security data in a SOC 1 report, but it is “very high level.”

In comparison, he says, a SOC 2 report is where information security is evaluated. When requesting a SOC 2, a plan sponsor can request a provider to obtain an evaluation against the five trust services criteria, which include security—the most common criteria—as well as confidentiality, processing, integrity privacy and availability.

Lastly, a SOC 3 report is a tailored version of the SOC 2 report that has been approved for public distribution. Atchison explains that a SOC 2 report is the full report that will include the auditor’s opinion, sub-processors, stated controls and each test that the auditor performed, as well as information on any gaps the auditor found in the state of controls. These gaps are typically referred to as an “exception,” Atchison says.

“Exceptions are not … all bad, but it’s something that you want to evaluate,” Atchison says. “A SOC 3 is not going to have that level of detail, and, therefore, it may not be of better value to a plan sponsor when they evaluate a third party. It can be helpful from a high level, but the real value is going to be found in the SOC 2 report.”

Typically, a SOC 2 report can be shared by the service organization to the plan sponsor that is being evaluated under a nondisclosure agreement. More likely than not, Atchison says, a plan sponsor would want to directly engage with the service organization and have the sponsor’s legal department review the NDA to make sure it complies with the sponsor’s own risk tolerances.

SOC 2 reports also come in different types. For example, a SOC 2 Type I report analyzes a company at a certain point in time, but it does not involve the results of testing operating effectiveness. A SOC 2 Type II report is more comprehensive in that it covers a period of time, usually between three and 12 months, during which the auditor can observe the controls’ efficacy.

For a plan sponsor, Atchison says a SOC 2 Type II report will provide the most value, as it covers a longer period of time and can validate the effectiveness of the state of controls. Therefore, he says, it provides the most assurance.

How to Interpret a SOC Report

While a SOC report is tailored to a specific audience, as those with cybersecurity expertise will likely best understand the auditor’s findings, Atchison says the beginning of the report is written more in business parlance, so people who may not have technical training can read and comprehend the auditor’s summary.

Several different opinions can result from a SOC report, and plan sponsors should understand the differences.

Atchison says the best of all possible opinions would be a “nonqualified opinion,” meaning the auditor did not find anything to give him or her concern about the state of controls and the operations, based on the trust services criteria being evaluated.

A qualified opinion, on the other hand, is an opportunity for the service organization to improve on some of the auditor findings, but the auditor ultimately did not consider it to be pervasive or detrimental to the overall opinion. This opinion essentially indicates that most controls were effective, but there were some areas that need improvement.

“If you think about it, auditors are paid to find things, and this is exactly why [providers] do this,” Atchison says. “Because [providers] want to get better, and they ultimately want to have an ability to provide assurance to their clients that their security controls are up to standard.”

An opinion that a company would not want to see is an “adverse opinion,” which Atchison says is a truly negative outcome, indicating that there were material or pervasive issues with the data security controls.

In addition, an auditor could have a “disclaimer of opinion,” which is issued when the auditor is unable to form an opinion due to various limitations imposed by the scope of the audit or when there are other issues that impacted the auditor’s ability to form an opinion.

Beyond the SOC 2 Report

If a company is seeking assurance beyond a SOC 2 Type II report, it can engage with a third party to perform comprehensive penetration tests on their networks.

The hired third party could, for example, conduct an external penetration test in which the third party acts as an attacker and attempts to overcome some existing controls to get into an organization’s network through unauthorized means or a vulnerability. An internal penetration test would simulate an attacker going into a provider’s network and test how far the attacker could go and what information the attacker could access.

Separately, a plan sponsor could also request a shared assessment, also called a standardized information gathering questionnaire, a lengthy questionnaire that any organization can fill out on its own and provide to its clients to demonstrate the type of programs they are running. A shared assessment typically covers more than 19 different security domains and can range up to hundreds of questions.

“The standard information-gathering approach is done by internal staff; it’s not done by an independent third party,” Atchison notes. “So, therefore, there’s only so much assurance you can provide, and that’s where I think the engagement with a third party can really add value to your [shared assessment], because [it] can be validated by an independent [party that says], ‘Yes, they did have good controls, and we tested them.’”

Atchison says the time it typically takes to request and receive a SOC 2 report from a service organization depends on whether the plan sponsor already has a relationship with the vendor or not. If there is an existing relationship, he says, an NDA may already be in place, which could lead to a quicker turnaround.