As part of our efforts to keep our clients updated of the latest developments impacting their business, the research teams of MGC Global Risk Advisory and Soni Chatrath & Co; have developed industry specific risks and mitigating measures with specific strategic inputs of our sector experts on best practices in the current times. We have also published the top seven areas that boards and audit committees have placed specific focus on over the past three months and can put you in touch with our experts for any aspects relating to the same that you may like to discuss. Our focus on today’s thought leadership is on one of these seven issues, which organizations like yours are facing and this relates to management of cybersecurity risks.
 
We understand that there is increasing pressure on organizations like yours to bolster your cybersecurity measures and in this context, we are drawing reference to the framework for system and organization controls (‘SOC’) for cybersecurity, which has been published by the American Institute of Certified Public Accountants (‘AICPA’) and can be used by organisations across the globe to assess the efficacy of their cybersecurity systems.

Essence of SOC for cybersecurity
The SOC for cybersecurity report comprises of the management’s description of an organisation’s cybersecurity risk management program, the management’s assertion and the practitioner’s report. The two criteria to be followed in preparing the same are (a) the control criteria and (b) the description criteria. While for the control criteria, an organization can use the trust services criteria ('TSC') or others like ISO 27001/27002, the description criteria, as prescribed by the AICPA includes the following 9 components.

  1. Nature of business and operations;
  2. Nature of information at risk;
  3. Cybersecurity risk management program objectives;
  4. Factors that have a significant effect on inherent cybersecurity risks;
  5. Cybersecurity risk governance structure;
  6. Cybersecurity risk assessment process;
  7. Cybersecurity communications and the quality of cybersecurity information;
  8. Monitoring of the cybersecurity risk management program; &
  9. Cybersecurity control processes.

The purpose of SOC for cybersecurity is to provide the basis for undertaking a rigorous and unbiased examination of an organisation’s controls. The description criteria can be used as the benchmark for preparing an organisations cybersecurity program. It can further help in identifying weaknesses with a readiness assessment and accordingly to develop strategies to mitigate the same.
 
Differences between SOC for cybersecurity and SOC 1, 2 & 3
While the SOC 1 report is mainly concerned with examining controls over financial reporting, SOC 2 and SOC 3 reports are based only on the TSC.
 
SOC for cybersecurity differs from SOC 2 & 3 in many ways. SOC for cybersecurity allows the use of other frameworks, while SOC 2 and 3 focus more on the pre-defined, standardized benchmarks for controls related to security, processing integrity, confidentiality, or privacy (hereinafter collectively referred to as ‘the five TSCs’) of the data center's system and information. Secondly, SOC for cybersecurity targets all users interested in the cyber risk management program of the organisation, whereas SOC 2 caters to a specialised audience who have an interest in gaining assurance over the design and operating effectiveness of controls in a service organization relating to one or more of the five TSCs. Thirdly, SOC for cybersecurity communicates the effectiveness of an organisation’s cybersecurity program and can be used by all entities, whereas SOC 2 is an evaluation of the service provider’s operational integrity and consequently is used only by service organisations. Additionally, SOC 2 allows the option to include or exclude subservice organisations, whereas in the case of SOC for cybersecurity the organisation is solely responsible for all the controls and cannot offload responsibility onto a third party.
 
Key take-aways
A system and organization controls readiness assessment for cybersecurity will give your customers, prospects, auditors and other stakeholders a relatively higher level of confidence in your internal processes and your ability to mitigate cybersecurity risks in keeping with global best practices.
 
Please do not hesitate to reach out to us at  contactus@mgcglobal.co.in  in the event you would like to discuss your SOC requirements with our experts.
 
Have a great weekend.
 
Best regards
Markets teams
MGC Global Risk Advisory LLP

About MGC Global Risk Advisory LLP

Recognized as one of the '10 most promising risk advisory services firms' in 2017, as the 'Company of the Month' in January of 2018, the 'Company of the Year 2018', 'Company of the Year, 2019'  (all in the category of risk advisory services) and one of the 'Top Exceptional Companies to Work For’ in 2020; MGC Global is an independent member firm of the US$ 4.2 billion, Atlanta headquartered - Allinial Global.

MGC Global provides services in the areas of enterprise wide risk management, control assessments  (SOC, IFCR & SOX) , internal audits, process re-engineering, governance frameworks, IT advisory, GDPR, cyber security, CxO transformation and forensic services. MGC Global has the capabilities to service its clients through its offices in Bengaluru, Mumbai, NCR; and has service arrangements in all major cities in India
About Allinial Global

Allinial Global  (formerly PKF North America)  is currently the world's second-largest member-based association that has dedicated itself to the success of independent accounting and consulting firms since its founding in 1969. 

It has member firms in 71 countries, who have over 28,373 professional staff and over 4,000 partners operating from 611 offices across the globe.

Allinial Global provides its member firms with a broad array of resources and support that benefit both its member firms and their clients in the key impact areas of learning and development, human resources, international outreach, technical support, knowledge-sharing platforms through its specialized communities of practice, marketing resources, information technology and best practices in practice management.