Confidentiality of SOC 2 Reports: Why They Aren’t Publicly Shared

Why not just post your SOC 2 report as a downloadable version on the website to speed up the sales process?

Consider this scenario: Imagine you ran a high-security bank, and you had a set of security plans to the building – let’s say it described the locations of cameras, the gates, the type of safes, the guard patrol routes, and other safety checks in place – you would not willingly publish those plans.

Why? Of course, it would make it easy for a thief to plot a route around such protections. Additionally, it might not be fully understood or appreciated by the larger public who aren’t aware of best practices in this area.

You might decide to share the plans with a commercial customer who is considering banking with you, but has security concerns.

In the same way, it is not prudent (or, indeed, allowed) to publish your SOC 2 report as it describes your information security environment in some level of detail.

Let’s say a bad actor could just download the SOC 2 report from your website. The first thing they would check would be for controls exceptions – low hanging fruit for a ‘hacker’. If they see inconsistencies in your security awareness training plan, then phishing will be the way to go, and it will be all too easy to create a personalized email phish using the environmental information from the report. If they see patch management problems, then perhaps they will probe your network for unpatched vulnerabilities.

Infographic by Digital Guardian
Infographic by Digital Guardian

But even assuming your report is completely clean, it still describes the security environment to such a level of detail that could give an attacker the information they need to compromise your systems. While there can always be some benefit from transparency of information, it comes at a cost as well, and you need to consider the impact of both sides of that coin.

Because of this, you want to ensure that the folks who receive a copy appear legitimate, have a legitimate business need, and sign an NDA to prevent unauthorized dissemination of the report.

What qualifies as a legitimate business need? Organizations typically reserve the sharing of SOC 2 reports for individuals or entities with current customers, potential clients, business partners, auditors, and regulators—those who can demonstrate a justified need and, in many cases, are bound by non-disclosure agreements (NDAs) to prevent unauthorized dissemination of the report’s contents.

In summary, the decision not to publicly share SOC 2 reports isn’t merely a matter of concealing information but rather a strategic measure to uphold the integrity of an organization’s security framework and shield against potential security risks.

Looking for an auditor who can help guide you through the SOC 2 process? –  Contact Render

Share this post


Keep reading...

What is a SOC 2 Gap Assessment?

A SOC 2 Gap Assessment is a high-level review of a firm’s control’s environment against SOC 2 criteria to identify existing gaps.

Let's Work Together