SOC 2 Compliance: More Qs and As with Compliance Expert Bert Friedman
Bert Friedman is Head of Compliance at business banking startup Nearside (formerly known as Hatch). He has also served as Chief Compliance Officer for financial technology (FinTech) company Deserve and Vice President of Compliance for the Financial Intelligence Unit of Community Choice Financial, Inc., headquartered in Dublin, Ohio.
Bert has extensive “hands-on” experience with SOC 2, audits, and auditors. In a previous post, he shares some of the fruits of that experience in a lively “Everything Compliance” conversation with Trustero, Vice President of Marketing and Business Development Kimberly Rose. Below are some additional highlights from that spirited discussion, focused on the skills and resources you need to succeed with SOC 2, why SOC 2 compliance matters, and how soon you should pursue it.
Smaller companies and start-ups often have limited resources but need SOC 2 compliance as much as or more than their larger counterparts. So who should be the key compliance stakeholders at these smaller businesses?
You’re going to have your management or executive sponsor. You’re going to need someone from Compliance or Legal. You’re going to need somebody from IT. Then you’ll need your external consultant to get you to audit.
What is a small or mid-sized business that doesn’t have all these people in place supposed to do?
For smaller or newer companies, the question becomes, where do you want to spend your money? For example, if you’re at the seed capital stage, you may not need SOC 2 yet, because you’re still basically doing a proof of concept. But if you’re raising Series A funds or beyond, you will want to dedicate somebody or at least a significant amount of time to get that SOC 2 compliance. Because you’re going to be looking for business partners, many of whom will
demand it.
Whoever makes up the team, what specific skills will they need?
The first thing is the ability to articulate the “why?” to the company itself. This may require some technical expertise but could also be someone in management who’s just going to say, “We’re going to do this [compliance], and we need it because of X, Y, or Z.”
You’ll need somebody with legal or quasi-legal writing expertise, because a lot of writing goes into this. That’s true with SOC 2 Type 1, where you’re articulating your controls, and SOC 2 Type 2, where you recapitulate and update what the business does. Someone also must be able to explain to your auditor the evidence that shows you’re compliant.
Is there an optimal time for a smaller business or emerging enterprise to go after SOC 2 compliance?
It depends on the business plan of the company, and it depends on what industry you’re in. If you’re in financial services, for example, nobody will want to take on a relationship with you as a customer or a partner if you can’t credibly say, “we protect your security.” When you’re ready to differentiate yourself from the competition and demonstrate a strong, robust security regime, that’s the time to do SOC 2. And it’s probably better to start it before your customers and partners ask, as opposed to after.
It’s like insurance. You may not need it right away, but it’s great to have when you do need it.
For more guidance from Bert Friedman, check out his full Everything Compliance discussion with Kimberly. For more on the business benefits of SOC 2 compliance, read the blog post “SOC 2 Compliance: Recognize and Reduce Risk.” And for help crafting and navigating your path to SOC 2 compliance, get your copy of the e-book, “SOC 2 Compliance: Why it Matters and How to Get There.”