When to disclose a security incident in a SOC 2 report

When to disclose a security incident in a SOC 2 report

If a company has experienced a security incident, it may be necessary to disclose certain information about the incident in their SOC 2 report. However, just like many other areas of the SOC 2 reporting standards, a great deal of judgment is needed to determine if disclosure is required. According to the American Institute of Certified Public Accountants (AICPA), incidents should be disclosed in a SOC 2 report if they a) were the result of controls that were not suitably designed or operating effectively or b) otherwise resulted in a significant failure in the achievement of one or more of the company’s service commitments and system requirements, as of the date of the report (for a type 1) or during the period of time covered by the report (for a type 2).

If there is uncertainty about whether to disclose an incident, then the following questions may help. If the response to one or more of the questions is “yes”, then that is a good indicator that you are dealing with a security incident that needs to be disclosed in the SOC 2 system description:

  1. Did the incident result from one or more controls that were not suitably designed or operating effectively?
  2. Did the incident result in a significant failure in the achievement of one or more of the Company’s service commitments and system requirements?
  3. Was public disclosure of the incident required (or likely to be required) by cybersecurity laws or regulations?
  4. Did the incident have a material effect on the Company’s financial position or results of operations and require disclosure in a financial statement filing?
  5. Did the incident result in sanctions by any legal or regulatory agency?
  6. Did the incident result in the cancellation of material contracts?
  7. Would information about the incident be relevant / important to readers of the report (i.e., customers)? And if that information was omitted from the report, would a reader potentially consider the system description to be materially misstated?

If you determine that it is necessary to disclose an incident in the SOC 2 report, the AICPA suggests that the disclosure include the following:

  1. Nature of each incident
  2. Timing surrounding the incident
  3. Extent (or affect) of the incident and its disposition

The AICPA also says that “Disclosures about identified security incidents are not intended to be made at a detailed level, which might increase the likelihood that a hostile party could exploit a security vulnerability, thereby compromising the service organization’s ability to achieve its service commitments and system requirements. Rather, the disclosures are intended to enable report users to understand the nature of the risks faced by the service organization and the impact of the realization of those risks.”

Although this guidance is geared toward SOC 2, the same approach can be used in a SOC 1 report.

Thanks for reading!