A SOC 2 To Satisfy?

As organizations rely more and more on vendors, undergoing a Service Organization Control examination resulting in a SOC 2 report can help real estate service providers demonstrate security strength.

The risks associated with using third parties continue to evolve, with multiple hands touching data from its origination point to its final destination. If you are a custodian of your customers’ data, or you are using your systems to process your customers’ confidential information, it is not uncommon to be questioned about your security practices.

For years, service providers have been inundated with security information questionnaires from customers to better understand policies, procedures, and processes in place within the security domain. This is not a new practice and is commonplace – but are customers in the current security landscape treating this as doing ‘enough’?

In short, the answer is that it depends. A long-term user of vendor services is going to have more robust monitoring over its service providers. A user in the infancy stage of its security program, on the other hand, may be satisfied with a service provider’s responses to a security questionnaire. Trending across organizations in the space, however, is a lingering question when service providers complete security questionnaires for customers – “Am I, the customer, persuaded by the comforting text that this vendor has sent to me?”

Picture yourself in a restaurant looking at the menu while trying to decide which meal you are going to order. The restaurant has the goal of making money from your food order, and the restaurant will likely have a bias toward its own menu. You’ll never see a restaurant note in its own menu to avoid the steak because it’s dry or to stay away from the sushi because the fish comes from a can. If they did, you would likely take your business to a different restaurant. Alternatively, if the top 50 chefs in America wrote stellar reviews on the steak or sushi dinners, you may feel more persuaded that the food is higher quality just like the restaurant staff may have already told you. This is a loose analogy to responses provided by vendors in security questionnaires, where service providers don’t want to advertise potential shortcomings.

One of the most common ways to combat this situation is for a service provider to undergo a SOC 2 engagement that results in a SOC 2 report. Not only will the SOC 2 report help a customer feel more comfortable about the service provider’s security program, but it is also commonly accepted in lieu of completing the tedious security questionnaire. A SOC 2 examination is performed by an independent CPA firm that is not an employee of the service provider, and a rigorous framework must be met in order for the CPA firm to give a clean opinion on the provider’s security controls.

In the realm of commercial real estate, the SOC 2 is highly relevant and can be a differentiator to customers. You may be a service provider who is managing properties for customers, with customer data moving in and out of your systems. Maybe you are supporting your customers’ payment processes to maintain facilities, with invoices being routed through your system for proper authorization. Perhaps you are the customer in this situation, and you are processing confidential information in a vendor’s SaaS application through your web browser.

Be the restaurant that has great reviews from the Michelin star chefs, and don’t be the restaurant that says it has great food that no one has ever actually tasted. If you are going out to eat, make sure you are eating at a place that has passed its health inspections. Analogies aside, the persuasiveness needed to address vendor security is continuing to grow as functions are outsourced, and the SOC 2 report is an excellent avenue to help demonstrate commitment to security and validates the effectiveness of mitigations where there are prior shortcomings.