Due Diligence and Ongoing Monitoring

Hello,

We are currently updating our vendor due diligence packages. With your Infrastructure vendors, do you ask for a SOC 2? Why or why not?

Happy to weigh in as a SME, but I would love to hear everyone else's thoughts as well. Reviewing a SOC 2 report for vendors in the Infrastructure tier as part of your annual due diligence provides several critical benefits, even though these vendors may not have access to GLBA-protected data. These benefits include:

1. Assessing Security and Availability Controls

SOC 2 reports are tailored to evaluate a vendor's controls around security, availability, confidentiality, processing integrity, and privacy. For infrastructure vendors providing essential services like communication, data protection, or electricity, the Security and Availability categories are particularly relevant.

• Security: Ensures systems are protected from unauthorized access. This is critical for preventing service disruptions caused by cyberattacks.
• Availability: Confirms that systems and services remain operational and meet uptime commitments, which is essential for your credit union's business continuity.

2. Risk Mitigation for Operational Dependencies

Vendors in the Infrastructure tier are integral to your operations. If these vendors fail, your institution may face operational downtime, which could impact member services and regulatory compliance. Reviewing a SOC 2 ensures these vendors have adequate controls to reduce the likelihood of disruptions.

3. Regulatory Alignment and Best Practices

Even though GLBA-protected data may not be involved, regulators expect institutions to demonstrate robust oversight of all critical third-party relationships.

• A SOC 2 provides documented evidence of your vendor's compliance with industry standards, supporting your due diligence documentation.

4. Identifying Weaknesses in Vendor Controls

The SOC 2 report includes a section on exceptions or control deficiencies. These insights allow you to proactively address potential weaknesses in vendor processes that could pose operational or reputational risks.

5. Supporting Incident Response and Recovery Planning

Vendors responsible for communication or data protection are key players in your institution's incident response and recovery plans. A SOC 2 report helps validate that their infrastructure can support your recovery needs in the event of a service interruption.

6. Ensuring Vendor Accountability

SOC 2 reports are prepared by independent auditors, providing objective validation of a vendor's controls. This holds vendors accountable and gives you greater confidence in their ability to manage risks effectively.

In my opinion, reviewing a SOC 2 report is crucial. It allows your organization to confirm that Infrastructure-tier vendors meet your risk tolerance and operational reliability expectations. This aligns with both regulatory expectations and your institution's broader risk management goals, safeguarding the continuity and integrity of essential services.

We do not have an Infrastructure tier but may be creating one. Most IT infrastructure companies do not release their SOC reports if they are not holding data. This has caused some delays in being able to collect due diligence. I think for this year I will ask for it as an optional document. Their primary risk is operational, so what documents help show disruption is unlikely or would be short lived? I was thinking Business continuity and DR results, maybe pen testing for some. This seem insufficient for how dependent we are on them. 

I do like Denise's response and may use some of those points to encourage our Infrastructure vendors to provide the SOC 2.

Yes we include SOC reviews for our infrastructure vendors.  Some of our infrastructure vendors are supporting critical applications so this becomes extremely important to ensure that those controls are in place.