One point I take away from every Venminder TPRM Boot Camp is you must address the inherent risk internally first, and then based on controls you have internally to deal with a third party (i.e., what are the CUEC's if you don't have a SOC2? How do you gather those ahead of a contract?), discover gaps and what mitigations you have.
So after I have a Criticality, and a Risk Rating (and a NPI Data Tier/HIPAA Data Tier Rating in my case), we flag the vendor and require a SOC2 or equivalent as part of the High/Moderate Data Tier rated vendors, Critical vendors, and additional considerations depending on the vendor's business disruption planning (if cloud based, are both primary solution and backup locations onshore only and adequate? Are codependencies thought out and covered?).
So whether I get a SOC2, ISO 27001, CyberGRX, HITRUST II, etc. -- I still have to merge those tested controls against our cybersecurity and HIPAA related desired controls and practices that we mark up into a questionnaire and get signed by the vendor.
As far as size, I have had a firm onboarded with about 6 full timers, and 4 to 6 part timers depending on their development plans. They stated with no written policies, etc. In the end we made a case in the insurance space on why using the cybersecurity program model from NY Department of Financial Services would help them help us (reinforced in contract) and open up the insurance market they were focused on since NAIC grandfathered in all states anyone compliance with NYDFS Part 500 (23 NYCRR 500). Now in second year, couldn't be happier.
Original Message:
Sent: 07-01-2024 10:03 AM
From: Kelsey Theroux
Subject: SOC Requirements
Recently, we had a third party/technology vendor that we wanted to onboard. This organization could not supply a SOC Report, due to not having one. Their reasoning was that they do not have one due to the size of their organization. What is your organizations requirements on needing/not needing a SOC report? If they do not have one, do you require any other type of documentation?