If you are a CIO or COO, there is an incredible amount of value that IT outsourcing can bring to your company, both from the standpoint of technical expertise and efficiency. But whether you want to "leave it to the experts" or "focus on your core competencies", the fact is that your company is ultimately responsible for what your outsourcing partners do on your behalf.
There are several examples demonstrating clearly that the risks are not only financial or legal, but reputational. No one wants to see their company's name splashed all over the front page of the news websites for all the wrong reasons.
On 27 May 2017 British Airways cancelled every single flight out of their busy international hubs in London. In all, nearly 600 flights were cancelled and thousands of people were left stranded both in London and around the world due to a power surge at a data center. The company's tech union was quick to associate the incident with the outsourcing of IT operations to Tata Consultancy Services, but this remains unconfirmed.
In addition, the 2013 Trustwave Global Security Report on 450 global data breach investigations revealed that nearly two-thirds of the data breaches they investigated were related to the use of an IT outsourcing partner to administer IT systems.
If the above facts have you cringing, are you sure the same things could not happen to your company?
If you are an outsourcing provider, these kinds of incidents unfairly give everyone a bad name, and without taking positive steps to show that you have the controls to prevent these kinds of situations, you risk being pulled into the mud with everyone else. For the first time, as shown above, we are seeing that these kinds of "disaster reports" are giving the name of the outsourcing partner almost as often as the name of the company, and the outsourcing partner is almost always presumed guilty. There is real reputational risk for your company as well.
SOC can help you gain control
A great way to address both these situations is with trusted third-party attestation reports that provide assurance regarding controls at IT outsourcing partners, such as Service Organization Control (SOC) reports. SOC 1 and SOC 2 reports (sometimes called ISAE 3402 or ISAE 3000 reports) are time-honored methods for businesses to ensure that they are partnering with strong companies with a focus on controls, and for outsourcing firms to demonstrate their seriousness about protecting the trust they have been given.
Sometimes an incident happens despite the most careful of control structures. In this worst-case scenario, a SOC report gives the outsourcing firm the ability to demonstrate control changes made to address the issue, and provides the business an impartial opinion that changes have truly been made and they are not receiving empty promises. It makes clear that both parties take the incident seriously and will ensure the incident cannot happen again.
If you are interested in pursuing attestation reporting, or would like to speak to someone about what attestation reporting options exist and what they would mean for your company, please reach out to:
© 2020 KPMG AS and KPMG Law Advokatfirma AS, Norwegian limited liability companies and a member firm of the KPMG global organization of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.
For more detail about the structure of the KPMG global organization please visit https://home.kpmg/governance.