Every day there are more headlines in the news highlighting companies that have experienced a significant cybersecurity breach. According to the U.S. Government Accountability Office (GAO), federal agencies reported 32,311 cybersecurity incidents in fiscal year 2023. Cybersecurity breaches pose significant challenges to an organizations' SOC 2 compliance, affecting the ability to maintain trust and convey that their systems and processes are available, reliable and secure. Understanding and addressing the impacts of a cybersecurity event on SOC 2 reporting, is crucial for regaining customer confidence.

So, the real question is: What do you do if you determine your company has experienced a breach, or almost as bad, one of your vendors? A security incident response plan contains documented steps to take once an incident occurs; however, one often overlooked component in the aftermath is understanding whether the organization’s SOC 2 needs are still met. A SOC 2 report has real life implications for a company’s ability to convey confidence to their customers and reflects upon its commitment to safeguarding customer data and maintaining operational integrity. After a cybersecurity event, maintaining this trust by performing a thorough and careful evaluation of the impact to remain complaint with SOC 2 is of paramount importance to your company. 

Impact of a Cybersecurity event to the SOC 2

Following a cybersecurity event, preserving customer trust includes assessing the impact on an organization’s SOC 2 controls including the availability of evidence throughout the period. Here’s what to consider:

Evaluate your SOC 2 controls. Cybersecurity events either at your organization, vendor or subservice organization may disrupt services provided to customers including the performance of SOC 2 control activities. It can also mean that your controls were not as effective as once thought. First things first,  assess which SOC 2 controls are affected. Were there SOC 2 controls in place that did not identify, detect and escalate the security incident or event? Were the existing controls bypassed? Asking these questions sets the course for remedial action which require disclosure in the SOC 2 report. Another disruptive factor is that employees may inadvertently neglect or discontinue control activities, intentionally or unintentionally, while involved in recovery efforts which can impact the company's ongoing compliance and control effectiveness. 

Assess whether SOC 2 controls evidence is still available. Cyberattacks often take the form of ransomware, or other attack methods that could make data unavailable or lost entirely, including documentation supporting the effectiveness of controls which would cause exceptions within the report. When an incident occurs, it is important for an entity to also consider whether regular control activities were disrupted from the event or require enhancement. For example, is there a daily monitoring report that is no longer available due to a system outage caused by the incident? Is there a control to perform daily backups that is no longer running due to the outage? For example, if the AICPA trust services category in scope is Availability, then it could have even greater ramifications if the service commitments were not achieved for the duration of the outage, which could result in a qualified opinion. Evaluation of compensating controls is necessary component of this exercise.

In the end, your organization should reach a conclusion whether the failure of or disruption to your internal controls impacted the organization’s ability to meet its SOC 2 service commitments and system requirements to your customers. This conclusion impacts the service auditor’s SOC 2 opinion and disclosure requirements in the description of the system in the SOC 2 report. Organizations can adopt strategic approaches to evaluate the impact on SOC 2 reporting. This involves proactively evaluating and redesigning controls and addressing key reporting implications ahead of the examination.

• Remediate controls. While cybersecurity incidents and events oftentimes impose a significant cost and burden on a company, it is also an opportunity to evaluate root cause and apply lessons learned from the forensics and post-mortem investigation. Improving the cybersecurity posture by redesigning existing internal controls or implementing new more robust controls to address the threat landscape and risks  is commonplace. Remediated controls will positively impact the organization’s SOC 2 reporting options.
• Consider disclosure requirements with your service auditor: Evaluate whether disclosure in the Description of the System is required under the AICPA standard, DC 200 – Description Criteria for a Description of a Service Organization’s System in a SOC 2 Report. Consider the systems impacted, nature of the attack, timing in relation to the SOC 2 period and extent and effect on the scope of the SOC 2 report. Factors that inform whether an organization may need to disclose the incident are based on judgment and include the following factors:
  • One or more controls were deemed ineffective
  • Significant changes were made as part of the company’s remediation
  • Public disclosure, i.e., reporting to regulatory authorities is required amongst other factors
• Evaluate further SOC 2 reporting options. If the service auditors determine the cybersecurity event impacts the opinion, consider the following options: extend the reporting period to include remediated controls or issue two SOC 2 reports: one that includes the incident, and the qualified opinion if deemed necessary immediately followed by the issuance of a separate SOC 2 report for a shorter period of time demonstrating the company’s resilience and to immediately regain the confidence and trust in your organization.

While you consider the above points, these might be helpful questions to ask:

• Did our controls properly identify and detect the security event?
• How would this impact our system requirements/service commitments?
• Did our risk assessment adequately contemplate a cybersecurity event and failure of our controls?
• Were our security staff and employees adequately trained?
• Do we have sufficient documentation of our SOC 2 controls backed up?
• What type of disclosure is required in our SOC 2 report regarding the event, if any?
• Should we consider extending our SOC 2 reporting period or issuing a separate report after remediation and redesigning our controls?

SOC 2 can still convey trust after a breach

Even after a cyber incident, SOC 2 reporting can demonstrate your organization’s commitment to security and reliability. By reassessing the organization’s processes through a control-focused lens, you can strengthen your cybersecurity posture while showcasing the resilience of your organization. A SOC 2 report that reflects proactive remediation and resilience reassures customers that trust remains a top priority.

^{Any advice contained in this communication, including attachments and enclosures, is not intended as a thorough, in-depth analysis of specific issues. Nor is it sufficient to avoid tax-related penalties. This has been prepared for information purposes and general guidance only and does not constitute legal or professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice specific to, among other things, your individual facts, circumstances and jurisdiction. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick, its partners, employees and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.}