As cybersecurity risks grow, so does exposure to customer data breaches through outsourced vendor relationships. To protect against outsourced risks, institutions have relied on CPA prepared SOC 2 reports to provide insight into cybersecurity controls that vendors have in place. As a result, SOC 2 reports have become the most requested document from third-party vendors. CPAs use guidance from the AICPA’s SOC for Cybersecurity examination methods to ensure that SOC 2 reports consider current cyber risks. CPA information systems auditors are independent, objective professionals that attest to the design of information security controls (in a SOC 2 Type I) and the design and operation of information security controls (in a SOC 2 Type II). Vendors must prove to CPAs that they have appropriate controls in place.

That said, there are a growing number of alternatives to SOC 2 reports that address vendor cybersecurity risks. Some say that the alternatives may be more comprehensive than the SOC 2 report. Others claim that the alternative methods rely too much on canned checklists. However, as cybersecurity risk grow, the need for risk assessments has expanded to meet market conditions. Now that institutions are considering some of these alternatives to SOC 2 reports, it’s time to review the potential use cases for some of the more popular assessment methods. For instance, the Shared Assessments Organization has a Standard Information Gathering (SIG) questionnaire that is being used as an alternative to the SOC 2 report. Is the SIG questionnaire a good SOC 2 alternative or is it better used as a supplement to the SOC 2 report? How about engaging a CPA to perform an Agreed Upon Procedures review instead of completing a SOC 2 report? Should institutions consider an ISO 27001 audit instead of a SOC 2 report?

As the list of alternative vendor cybersecurity assessment methods grows, institutions need to determine what method or methods will provide the best insight into the adequacy of vendor cybersecurity controls. Please join Gary Deutsch, CPA, CIA, CBA, CMA, MBA for this important webinar which is focused on assisting vendor risk managers and auditors with understanding the benefits and pitfalls related to the growing list of cybersecurity risk assessment methods.

WHAT YOU WILL LEARN

This webinar will cover the following:

• Understand how the purpose for vendor cybersecurity risk assessments impacts the method used to conduct the assessment
• Methods for deciding which assessment programs to request from a vendor if the vendor has not engaged a CPA to prepare a SOC 2 report
• Considerations for vendors that only agree to have a SOC 2 Type I report prepared
• What popular alternative cybersecurity assessment programs to consider and why
• AND MUCH MORE!