I review client SOC 2 reports and advise them on improvements. One client has asked me to assist them in attaining SOC for Cyber certification, including completing their annual SOC for Cyber audit and report.
In this new role I would be signing their annual report as the professional practitioner as apposed to just reviewing it for them internally. This adds a new level of risk for me and my company.
Is anyone doing this as a CISSP and is there E&O policies that cover these activities? Preparing to have the discussion with my corporate risk management. We are an engineering firm and I'm the lone cyber guy out of 5000 civil engineers so our current liability coverage likely doesn't cover this currently.
@CV_SEC I assume you mean SOC2 reports, and your call for E&O refers to : E&O insurance is a kind of specialized liability protection against losses not covered by traditional liability insurance. It protects you and your business from claims if a client sues for negligent acts, errors or omissions committed during business activities that result in a financial loss.
The same could be related to Cybersecurity Insurance, which is a bit of a lottery. A lot of Cyber insurance policies require a minimum level i.e. ISO/IEC: 27001:2013 certification or compliance as a baseline. Which means you have a level of due diligence and the associated ISMS to manage the environment. However, given the ransomware attacks, and increasing payouts, an organisation may get away with this once, and the insurance company actually pay out, but subsequently they will have recommendations, and the premiums will increase or as we have seen recently more Insurance companies are bailing out of such specialist insurance because it is becoming more frequent and inevitable.
Organisations are going to be paying larger premiums, and possibly just to state they have cover, but under the covers, it may in fact be worthless, due to the number of conditions placed on the organisations to abide by.
SOC2 is a point in time, these days, continuous monitoring, is required, static logging is insufficient to deal with these days advanced attacks, whether they come from within or from the outside of the organisation. Along with continuous Cloud Posture security compliance, static reports are no longer sufficient - they look good, but increasingly they are becoming less relevant, unless the organisation involved is constantly reviewing their posture automatically and remediating to keep it at agreed baseline.
Often in a cloud situation, the organisation has no clear understanding of their responsibilities, so you need to take that in hand as well i.e. Cloud Provider with a SOC2 report, but in fact the client does not understand their own responsibilities for instance NIST 800: 53 Cloud Security Controls of which there are 500, and perhaps only 287 of them are actually relevant.