Executive Summary
A Software-as-a-Service (SaaS) provider, sought to enhance its data security and compliance posture to provide a competitive advantage for prospects, and to meet their clients’ demands and their own regulatory requirements.
By implementing SOC 2 reporting, the company aimed to demonstrate its commitment to security, availability, and confidentiality to both existing and prospective stakeholders. This case study outlines the challenges faced, the approach taken, and the results achieved.
The Client
A SaaS provider to financial institutions. The company’s SaaS offering caters to institutional investors, fund managers, wealth managers, fund administrators and law firms.
The Challenge
The company faced several challenges:
- Client Trust: Increasing client concerns about data security, availability and confidentiality.
- Regulatory Compliance: The need to comply with industry standards and regulations, such as Know Your Customer (KYC), Securities Investor Protection Act (SIPA), Financial Industry Regulatory Authority (FINRA), Order Handling Rules, Market Access Rules, and Anti Fraud Regulations.
- Competitive Advantage: Differentiating from competitors by showcasing robust security, availability and confidentiality measures.
- Operational Efficiency: Streamlining internal processes to ensure consistent practices.
The Approach and Solution
To address these challenges, the company adopted a comprehensive approach to SOC 2 reporting that included:
1) Assigned a Project Manager:
- Identified and assigned a management representative to take the lead and coordinate SOC 2 responsibilities on behalf of the organization.
2) Gain an Understanding:
- Withum performed external research to gain a preliminary understanding of the company, and the services offered.
- Withum performed a walkthrough with the company to gain an internal perspective of the organization structure, the SaaS product, including the infrastructure utilized to provide the platform, and the company’s internal infrastructure maintained that is used to support the SaaS services.
3) Assessment and Gap Analysis:
- Withum documented the company’s existing controls in place that meet the security, availability, and confidentiality categories within the Trust Services Criteria (TSC) – the criteria utilized in the SOC 2 reporting framework.
- Withum analyzed the existing controls identified to meet the TSC and identified gaps in the company addressing the criteria that required remediation prior to going through a SOC 2 audit.
4) Policy and Procedure Development and Rollout:
- Based on guidance and support provided by Withum, the company was able to focus their efforts on establishing and refining their policies and procedures to address any identified gaps.
- Following updates to the policies and procedures, the company communicated and trained the respective process owners on those changes to ensure they would be implemented in a timely manner.
5) Technology Configuration and Implementation:
The process owners at the company then implemented the policy and procedural updates throughout the environment. These updates included, but were not limited to the following:
- Updated their existing operating system and application configuration settings to adhere to the newly established or refined requirements.
- Established mechanisms to formally document the execution of their controls.
- Integrated monitoring and logging procedures to ensure continuous compliance.
6) Prepared System Description:
- Utilizing a guide provided by Withum, the company developed a system description that describes the organization and the SaaS platform, as required by the SOC 2 standards.
7) Third-Party Audit:
- Withum performed a SOC 2 type 2 examination covering a twelve (12) month period to evaluate the fairness of presentation of the system description, and the design and operational effectiveness of the controls.
- Provided management responses to and remediated findings and recommendations provided as a result of the audit.
8) Continuous Improvement:
- Established a continuous monitoring and improvement program.
- Regularly reviewed and updated security, availability and confidentiality practices to adapt to evolving threats.
The Results, ROI
Implementation of SOC 2 reporting yielded significant benefits for the company, including:
- Enhanced Client Trust: Achieved a 30% increase in client retention and satisfaction due to improved transparency, security, availability and confidentiality assurances.
- Improved Risk Management: Facilitated the establishment of processes to enable the company to identify and address vulnerabilities proactively.
- Regulatory Compliance: Successfully met all regulatory requirements, reducing the risk of fines and legal issues.
- Operational Efficiency: Streamlined processes by identifying and eliminating redundancies resulting in a 10% reduction in operational costs.
- Establish Security Minded Culture: Created a culture that was more engaged and aware of their individual roles and responsibilities in
maintaining the integrity of the SaaS platform as well as protecting client and company information and resources. - Return on Investment: Realized a ROI of 150% within the first year, driven by increased client trust, new business opportunities, and cost
savings.
Contact Us
For more information, please contact a member of our team.
