Compliance Issues: How Important is SOC 2?

Screen Shot 2018-09-27 at 11.04.43 AM.png

We often hear similar set of questions about SOC 2 compliance. For example: “Are SOC 2 reports legally required by any specific agency?”, “What will happen if we fail a SOC 2 audit?” and “What if we ignore SOC 2 compliance altogether and worry about it after we’re up and running and financial sustainable?”

Our answers to these vary by circumstance, but in general, we recommend SOC 2 reports even if they come with a small amount of expense and hassle. Here’s why.

SOC 2 is Voluntary

SOC 2 reports are voluntary reports provided by private, non-governmental auditors who examine how a company measures up against the “Five Trust Principles” that indicate data security and strong data management practices. Each auditor conducts the review in his or her own way, applying his or her own experience and judgement, so a clean report from an auditor with an excellent reputation can add more value than that of an average auditor.

No government agency or legal entity will penalize your business for a missing or “failed” SOC 2 audit, but a failed audit can help you understand where the weak links are in your data management system so you can get them fixed.

A Clean Report Can Attract Enterprise Clients

Enterprise clients (and increasingly smaller clients with strong accountability) are unlikely to sign contracts with startups before they’ve conducted a thorough review of the company’s data security. In this day and age, there’s simply too much at stake. Putting customer data at risk isn’t worth any other benefits the contract might offer. A clean SOC 2 report (especially one from a respected auditor) can provide proof of your company’s diligent and professional approach to cybersecurity. A weak or absent one can keep you circulating in a small pond, so to speak, only able to access the smallest contracts.

SOC 2 Isn’t Just About Attracting Clients

There are some aspects of your security system—for example, your authentication procedures, your vendor reviews, or your breach notification system—that can only be spotted by external reviewers. Think of a SOC 2 report as a medical checkup for your data management protocols. A poor diagnosis doesn’t mean you’re doomed; it just means you’ve identified a problem that needs to be solved.

A SOC 2 Report Signals Professionalism

When you’re ready to take your company to a wider audience, it shows. You may be a long way from an IPO, but there are several milestones along the path from a garage workshop to global recognition. A SOC 2 report can help act as one of these milestones.