So, earlier today we wrapped up a webinar on SOC audits for managed service providers, and we had some fascinating feedback and data. First, if you missed the webinar and would like to view it, you can do so here.
Few MSPs Have a Current SOC Audit
As I suspected, a relatively low percentage of MSPs responding in the survey had a current SOC report; 22% to be exact. The rest of the MSPs did not. Even 22% is a large number as the actual percentage is probably less than 10% of MSPs who have a current SOC audit.
While this bodes quite well for those audited MSPs, it does present a significant opportunity for MSPs who haven’t been audited yet. I have long viewed the certified MSP community as being mostly involved in servicing regulated customers. There are exceptions to this, but for the most part, certified MSPs have to be verified because their customers expect it of them.
As regulations become more widespread and involve data privacy and security, the demand for MSPs who are certified and audited will also rise. This means that the existing audited MSPs will not be enough to meet the rising demand for managed services. More MSPs who are verified and certified will need to enter the market to keep pace with the increased demand.
Top Responses You Should NEVER Use for Audit Report Requests
If you happen to be in the majority of those MSPs who are not audited, here are some helpful tips for when you respond to compliance or audit report requests from customers. These are things you should never tell your customers:
I don’t have a data center
This demonstrates a fundamental lack of understanding about cyber risk and should never be used in polite conversation. It doesn’t matter if you don’t have a data center, you still can access customer data and therefore, you should have an audit report.
I don’t host customer data
Similar to the excuse above, the claim that you don’t host any customer data does not let you off the hook. To be clear, most MSPs do not “host” data or even own or control a data center. The unique role of MSPs as providers of remote managed services means that regardless of where the data center is (yes, that includes cloud for those millennials reading this) the logical or remote access to that data is still an unanswered issue which must be addressed for the customer. If you do host data, you’d better have a report, but if you don’t an audit may still be a requirement depending on your customer and the nature of what you do for them.
I outsource everything
This excuse is frequently used when the “MSP” actually utilizes external service providers for the majority of its managed services. Aside from the obvious question of what value does a company like this provide, there are essential questions related to data access which must be addressed, even if you are doing relatively little in the service delivery supply chain.
My data center already has a SOC audit
This is helpful but does not let the MSP off the hook. MSPs need to properly manage their vendors (we call them external service providers); this includes selecting vendors who have been adequately vetted and can demonstrate compliance through mechanisms such as SOC audits.
The fact that your data center has a SOC audit does not mean you don’t have to have one. How your data center secures your server has nothing to do with how you remotely access that server, interact with that data, etc.
I only need to complete my customer questionnaires.
Many MSPs received requests for information (or proposals) from customers. These RFPs often have many pages filled with many questions designed to get more information from the MSP. Completing one of these RFPs is not a substitute for an audit report.
One of the main reasons for this is that RFPs are not audited; nobody is verifying the information. Anyone can write up an excellent answer to a question, but it takes more than a written response to convince a customer to trust you.
Whether you choose a SOC report or an MSP Verify report, there are options for MSPs when deciding how to demonstrate trust, transparency, and compliance. Ignoring these trends, however, is not something MSPs should do.