Subservice Organization
Subservice Organization

New Watchword: Subservice Organization

By now, many organizations have begun to receive control audit reports covering 2017 (SOC1/SSAE18 and SOC2). One element of note is the emergence of subservice organizations, or fourth parties, in reports generated after May 1, 2017.

It’s interesting to see the revelation of underlying providers (fourth parties) within the updated reporting formats. While these new formats intentionally define what is being performed by contracted fourth parties, the disclosure of who is performing these efforts is often not as revealing as we expected or hoped.

At times, there’s a fog concealing the identities of fourth parties; phrases like industry-recognized third party or subservice organization are inserted in place of the names of the companies to whom your vendors have outsourced various responsibilities.

Overcoming vendor impediments to visibility

We’ve also seen the emergence of a new designation, Subservice Complementary Controls. This is where the report must detail where controls passed through to your organization are actually the controls from the fourth party.

It’s important to know and understand with whom you’re interacting.  But some vendors make it difficult for you to access information that you have a regulatory mandate to know.

For instance, what are the fourth parties supporting your vendors? Where is the datacenter generically identified in reports as a “subservice provider” physically located or backed up?

Is this datacenter via provision of a cloud-based virtual provider? How do you know where your sensitive client and organizational data resides or is being accessed? Is there potential for this storage or access to transcend the United States and U.S. Laws and Regulations? It would seem that the more you learn, the more questions you’ll need to ask.

Did vendor management just get even tougher? How do you manage fourth parties today? Do you map fourth party locations and location types?  As the complexities grow, it might be time for organizations to seek out automated solutions to help with the evaluation of these updated control audit reports.

Defend yourself against vendor and enterprise risk: Learn about our best-in-class VRM/ERM solutions.