Best's Review



At Large
Drawer Full of SOCs

System and Organization Control can help insurers comply with cybersecurity law.
  • Dianne Batistoni
  • October 2018
  • print this page

By Dianne Batistoni

By Dianne Batistoni

Financial firms need to determine whether their vendors have adequate cybersecurity practices.

As the final deadlines approach for implementation of the New York Department of Financial Services cybersecurity regulation, many financial firms remain concerned with how to comply with the law's comprehensive standards for third-party service providers.

The final phase of the cybersecurity law goes into effect on March 1, 2019 and requires regulated entities to evaluate the risk associated with a third-party service provider and establish a written plan that ensures the security of all information systems and nonpublic information accessed or held by the provider. In short, they need to determine whether their vendors have adequate cybersecurity practices.

This is a major undertaking. But there is a tool that could help—System and Organization Control (SOC) reports. These reports, which are prepared by independent certified public accountants using standards promulgated by the American Institute of Certified Public Accountants (AICPA), evaluate controls at a service organization.

Here's a primer and advice on the various types of SOC reports:

SOC 1: This is primarily used to evaluate a service organization's controls over processing of financial transactions or systems that support financial transaction processing. This report is often important to the user organization's accounting department and auditors.

SOC 2: This evaluates an organization's information systems relevant to security, availability, processing integrity, confidentiality, and privacy against specific AICPA criteria. Because the SOC 2 includes details on tests and results that are sensitive in nature, it has a restricted distribution. It is primarily used by management, regulators, and auditors and as part of enterprise risk management.

SOC 3: Similar in criteria and purpose to a SOC 2, this report is available for general distribution and therefore does not include detail of the testing performed.

To determine the type of SOC report needed, user organizations should prepare a risk analysis of service providers, taking into account the services and exposures involved with each relationship. In some cases, multiple SOC reports would be warranted.

Request a SOC 1 when service providers are involved anywhere in the processing cycle of financial data. This includes payroll providers, trust/custodial companies, investment reporting, claims processing, policy administration and third-party administrators.

Request a SOC 2 for any provider that handles confidential, nonpublic data (including HIPAA), technology companies that provide data center services, managed service providers, cloud-based services, software as a service.

Request a SOC 3 when a SOC 2 is not readily available or if fewer details are needed.

If a third-party service provider processes data that includes both financial statement impact and critical confidential information (e.g., a claims processing TPA), a user organization should obtain both a SOC 1 and a SOC 2 or 3 from the provider.

For smaller service providers, a SOC report may not be available. In this case, use a vendor questionnaire along with follow-up inquiries to determine the strength of controls in place. Depending on the importance of the data and risk involved, testing by the user entity may be warranted.

SOC reports can provide insurers with a high level of comfort as to the processing integrity, security, privacy and confidentiality of their data and help them meet regulatory requirements.


Best’s Review columnist Dianne Batistoni, CPA, CFE, is a partner in the Insurance Services Group of EisnerAmper. She may be reached at

Back to Home