Is Your Vendor Really SOC 2 Type 2?

By now, you’re well aware of the security risks that threaten every level of an enterprise operation. So, what can your organization do about it? You’re likely taking all the necessary precautions: auditing vendors for third-party risk, asking the right cybersecurity questions, and ensuring each external vendor you use has certain cybersecurity safeguards in place.

A very “buzzy” term you’ll see in the cybersecurity space is SOC 2 or SOC 2 Type 2. If you want to manage cybersecurity risk most effectively, any external vendor your organization relies upon should be able to provide you with their SOC 2 Type 2 report.

But what does it really mean to be SOC 2 Type 2 compliant?

SOC stands for “System and Organization Controls” and is both an audit procedure and a set of criteria for organizations that act as third-party service providers for technology solutions. The controls tested by the SOC 2 Type 2 procedures demonstrate that the organization is following AICPA guidelines for the five trust service principles: Privacy, Security, Availability, Processing Integrity, and Confidentiality.

• A company that has completed a SOC 2 examination has demonstrated that they have developed a set of security standards and procedures, that they follow them, and that they are able to produce these standards to an auditor.

• Type 1 assesses the design of the security processes at a point in time. Type 2 is a report that assesses how well those processes and controls perform over a designated period of time.

• In essence, SOC 2 means an organization has security standards and procedures in place. Type 2 means they have held up over a six to twelve-month period and an independent auditor has verified them for all to see.

Because of the amount of cyber risk that exists today, most companies have controls in place to mitigate it. The question is, do you know how the third- and fourth-party vendors your legal organization interacts with handle and reduce cyber risk?

Here’s an example…

Due to complexity and cost, only the largest firms, such as Fortune 100 companies, own and maintain their own data centers. Most companies, including U.S. Legal Support, lease space in data center facilities. U.S. Legal Support leases a data center from a leading colocation datacenter provider, which U.S. Legal Support is proud to say is verified to be SOC 2 Type 2 compliant. 

Many other litigation support service providers claim to be SOC 2 Type 2 compliant, but what this typically means is that the provider they lease their data center space from is SOC 2 Type 2. U.S. Legal Support doesn’t rely solely on our data center or cloud providers to have SOC 2 Type 2 reviews for compliance. Instead, we hold ourselves to higher standards.  In addition to requiring SOC 2 Type 2 compliance for our data centers, we measure our own internal business operations, processes, and staff with the same rigor as we expect of our service providers.  

We have external auditors confirm each year that we – U.S. Legal Support, the company – are adhering to the AICPA standards for SOC 2 Type 2 criteria.

An independent auditor verifies our procedures, safeguards, and technology that we employ to ensure the protection of your sensitive data annually. This audit provides independent verification of implemented controls; assesses if there are any gaps and to address them, and then ensures the controls stay effective over time.  

Conclusion

The above example illustrates how it can be very easy to feel your service provider is meeting your expectations of verified systems and organization controls when they aren’t.  In 2022, it simply isn’t enough for a company to have an SOC 2 Type 2 data center; you want the entire organization to be focused on protecting your most sensitive information.

You want a service partner who puts a lot of energy into protecting your data and documenting these procedures for all to see.

U.S. Legal Support recently put together a high-level security overview that details exactly how we keep client data safe throughout our organization.