System and Organization Controls (SOC) in versions SOC 1®, SOC 2® and SOC 3® are auditing and reporting standards of the AICPA (American Institute of Certified Public Accountants). These standards enable service providers such as data center operators or cloud providers to ensure and prove to their customers that they have the effective controls and measures necessary to provide the required services securely. The Ecovis consultants know the details.

SOC 1®: Internal Control over Financial Reporting (ICFR)

This standard is specifically designed to examine the controls in place at service providers that are relevant to the service provider’s financial reporting. There are two types of report:

  • Type 1 – a report on the suitability of the design and adequacy of controls to achieve the relevant control objectives at a given time.
  • Type 2 – a report on the effectiveness of controls in achieving the relevant control objectives during a specified period of time (typically 6 months or 1 year).

SOC 2®: Trust Services Criteria

The controls to be examined (& reviewed) in SOC 2 and SOC 3 reports are measured (& assessed) against the so-called trust services criteria for security, availability, processing integrity, confidentiality and privacy. SOC 2 reports can also be Type 1 (adequacy of controls) or Type 2 (effectiveness of controls over a period of time).

SOC 3®: Trust Services Criteria for General Use Report

As with a SOC 2 report, a SOC 3 report addresses controls related to security, availability, integrity, and privacy/trust. SOC 3 reports are subject to the same audit criteria as SOC 2 reports. However, there are some differences between SOC 2 and SOC 3. For example, SOC 2 reports are confidential and are only provided to certain clients, whereas SOC 3 reports are intended for public consumption and are usually posted on the company’s website as a marketing tool.

Conclusion

Whenever accounting-related or financially critical data and processes are outsourced, companies should ask their future service providers for a SOC 1 report. If a company wants to outsource the processing of its sensitive customer data to an external service provider (cloud/computing center), the IT service provider in question should obtain a SOC 2 report. As a rule, the service provider’s clients do not ask for a SOC 3 report. The service providers themselves make the SOC 3 report available to the public and thus transport certified security.

“All large companies on the global market need to act now, in their supply chains and in their own practice areas,” said Federal Employment Minister Hubertus Heil on the introduction of the German Supply Chain Act (Lieferkettengesetz (LkSG)). “We have fought hard and established a law that has legal consequences and packs a real punch.” In the future, a careful risk analysis needs to be carried out to determine whether a violation of human rights and environmental standards occurred in the past or can be expected in the future. From 1 January 2023 the Act will initially apply only to large companies with their administrative headquarters or statutory seat in Germany that normally have at least 3,000 employees in Germany [section 1 (1) sentence 1]. According to the Explanatory Memorandum on the SCDDA, this concerns approximately 600-700 companies. A year later, this threshold will drop to at least 1,000 employees [section 1 (1) sentence 3 SCDDA], and will concern approximately 2600-3500 companies, according to the Explanatory Memorandum on the SCDDA. 

On February 23, 2022, European Commission has adopted a proposal for a Directive on corporate sustainability due diligence. The proposal aims to foster sustainable and responsible corporate behavior throughout global value chains. 

The new due diligence rules will apply to the following companies and sectors 

  • EU companies
    • Group 1: all EU limited liability companies of substantial size and economic power (with 500+ employees and EUR 150 million+ in net turnover worldwide). 
    • Group 2: Other limited liability companies operating in defined high impact sectors, which do not meet both Group 1 thresholds, but have more than 250 employees and a net turnover of EUR 40 million worldwide and more. For these companies, rules will start to apply 2 years later than for group 1. 
  • Non-EU companies active in the EU with turnover threshold aligned with Group 1 and 2, generated in the EU. 

The proposal will be presented to the European Parliament and the Council for approval. Once adopted, Member States will have two years to transpose the Directive into national law and communicate the relevant texts to the Commission.

 

 January 1, 2023 

January 1, 2024 

Germany 

Large companies >3000 employees with admin headquarter or statutory seat 

Main Business areas and immediate suppliers 

Large companies >1000 employees with admin headquarter or statutory seat 

Date unknown, once law, to operationalize within 2 years

+2 years 

EU 

Limited Liability companies >500 employees and >150 M net turnover 

All Business areas and entire value chain 

Other limited Liability companies >250 employees and >40 M net turnover 

Differences and what you can do now 

The EU Supply Chain Directive is aimed at European-wide harmonized regulation. It is one of the numerous concrete implementations of the European Green Deal, which demands a sustainable corporate culture and is therefore ahead of the German LkSG. 

  • For now, the German Supply Chain Act is content with a policy statement, while the EU Directive sees ESG due diligence as an integral part of corporate policy. The EU directive will also require company management to take human rights, climate change and ecological consequences into account in all decisions. 
  • The German supply chain law has no direct regulation, although the BaFin issued a consultation paper in August 2021, in which the regulator sees ‘greenwashing’ as a big risk for the customers of investment funds. Greenwashing is when companies inflate their sustainability or “green” efforts typically through marketing or public relations activities. In its statement, the BaFin will conduct special audits and investigations if something seems amiss. 
  • Under the German LkSG, companies may only report on their own website, while under the EU directive, companies need to publicly communicate the exercised due diligence obligations. 
  • The German LkSG is satisfied with risk management that has been put in place, while the EU Supply Chain Directive provides for the establishment of a comprehensive compliance management system. In addition, due diligence processes are to be set up and monitored.

Mandatory / regulatory requirements 

  • The Board has to name a ‘Human Rights’ delegate 
  • The Board also has to set the ‘Human Rights’ strategy 
  • More work for the internal legal department as the international suppliers may have different laws and regulations to follow; increased reputational risk with more reliance on suppliers 
  • Agencies like BAFA (Bundesamt für Wirtschaft und Ausfuhrkontrolle), German regulator for economy and export control will be the new watchdog for this law. 

Highly advisable / recommendable 

  • Whistleblowing directive will also come into play as whole new playing field. 
  • CPI (Corruption Perception Index) – good reference to get started with supplier management 
  • Corporate Social Responsibility (CSR) reporting duty if listed so may not be applicable. 
  • Increased focus on supplier management and suppliers in general (direct vs indirect suppliers) 
  • Increased focus for HR department as regulatory Human Rights management new requirement 

The work plan has 6 planned phases. Onboarding requirements of suppliers; initial due diligence; checks, reviews and valuation of suppliers; risk mitigation of high vs low risk suppliers; transparency and controls aspects; and monitoring of all suppliers. 

Next steps 

It’s highly advisable to start as soon as possible if you are identified to be in scope. From the analysis above, we also recommend you not comply to the minimum requirements of the German LkSG, but rather start implementing a long-term strategy already thinking about the EU Directive. 

Our multidisciplinary teams will help you with the initial set up and implementation. Our expert knowledge of Compliance and Risk Management will support you in order to avoid missteps, potential fines and reduce conduct as well as reputational risk you may face. 

 

(Image: Mrzproducer/Adobe Stock)

Legal measures such as the Infection Protection Act made it necessary to record personal data such as access controls in accordance with the 3G regulation or even the vaccination status of employees as part of the Corona pandemic.

This legal protection measure has expired and therefore the retention of this collected data is considered so-called data retention.

Captured vaccination data or copies of vaccination cards are also sensitive health data that must be treated with special protection. Permanent retention no longer has a legal basis, and they would be obsolete for possible later use in the event of a new pandemic, for example in the winter of 2022/23.

Barbara Thiel, the data protection commissioner for Lower Saxony, is taking the lead in calling on all companies and authorities to delete personal data collected in connection with the corona pandemic now. It is expected that other state data protection authorities will take a similar position and threaten sanctions for non-compliance.

Review their collected data and delete any that are related to Corona pandemic regulations. (The slogan: less is more applies here).

Against the backdrop of ever-increasing threats from cyber attacks, companies and organizations are faced with the following questions:

  • Is my company sufficiently secured against cyber attacks?
  • Which unknown gaps and vulnerabilities lie dormant in the company’s IT and endanger my business processes or pose a significant risk to my company?
  • How can I increase information security in my company, if possible without additional costs, and bring it up to the state of the art?

Medium-sized and smaller companies in particular often find it difficult to address the issue holistically and bring information security to an appropriate level of protection across the board due to low staffing levels, a lack of expertise in IT security and limited budgets.
Outsourcing parts or all of the essential tasks for information security to an external specialist – a so-called Security Operation Center (SOC) or Cyber Defense Center (CDC) – offers a solution approach here that can be flexibly adapted to the requirements of each company.
A SOC/CDC is a service provider specializing in information security that is linked to the company’s IT and acts as a kind of security control center, taking over large parts or just selectively certain security services that would normally have to be covered by the company’s IT department:

  • Security-related monitoring of corporate IT
  • Proactive addressing of threat situations through threat intelligence
  • Detection and elimination of vulnerabilities in IT systems and processes
  • Detection and alerting in the event of cyber attacks
  • Defensive measures and damage limitation
  • Customer-related support and reporting on security issues

Highly specialized cybersecurity experts, including security architects, analysts and forensic specialists, work 24×7 on the premises of the SOC/CDC service provider. As in a command post, all security-related information is displayed on screens in real time and they can react immediately in the event of anomalies. The working method is characterized by optimal and integrated tool support, a high degree of automation of the analyses as well as the optimal team structure and communication of the SOC team.
Depending on the specific requirements of a customer, different service models of cooperation can be defined, which allow outsourcing only certain parts, or almost all security services to the SOC/CDC service provider. The advantages of using a SOC/CDC are obvious:

  • Fast and effective response through automation and use of specialists.
  • Protection against the current threat situation
  • Continuous documentation and traceability
  • No need to build up internal staff
  • Holistic protection concept and customized solutions possible depending on customer requirements
  • Demonstrable adherence to legal requirements and compliance

Especially for smaller companies and medium-sized businesses, outsourcing essential IT security services to an external specialist opens up the possibility of achieving a high level of protection and state-of-the-art IT security. Due to the different service models and great flexibility, the services of a SOC service provider can be ideally tailored to customer requirements. It is usually not necessary to build up additional internal resources or experts for information security.

 

Cyber-risks pose a major challenge to SMEs (Small Medium Enterprises). The impact is increasing. For management, this fact must be considered a top priority risk. 

Ransomware-attacks, where businesses are ‘crippled’ by their computer systems, have increased dramatically, almost doubling in the first half of 2021, while the average ransom to escape the dilemma has increased by 82%.  Globally, businesses of all sizes and types are being attacked by criminal ransomware. These attacks often bring business operations to a halt. Recovery takes time, becomes expensive, leads to image loss and can disrupt or even stop business operations. 

For example, JBS, the world’s largest meat processing company, had to pay a ransom of US $11 million to regain access to its data and systems. Ransomware led to shutdowns of water and water treatment plants at Norwegian energy technology company Volue, affecting 85% of the Norwegian population. Transnet, a South African port operator, was also affected by ransomware, causing disruptions and delays at one of South Africa’s major ports. In Germany, attacks on hospitals led to network problems and days of outages at the University Hospital in Düsseldorf or the Neuss Clinic. In hospitals in the USA, networks were reportedly disconnected due to ransomware in the first six months of 2021 – either through their own measures to avoid a security breach or because they were forced to do so by a severe malware infection. 

The problem with SMEs, unlike large companies, is that they do not have cybersecurity departments. Accordingly, they often only react after an attack, which can simply cripple business for many SMEs. 

A particularly worrying trend is that criminal cyber-attacks are taking shape in ways that were once the preserve of state actors. This is most common in so-called “supply chain attacks“, which affect the supply chain. Unknown flaws in the technology are exploited by companies that infect the company’s customers, bypassing traditional defences such as anti-virus software. 

Cyber technologies are exploited by states primarily to conduct economic espionage and intellectual property theft. State cyber operations have doubled since 2017, with a third of these attacks apparently targeting businesses. One of the most high-profile recent examples was the Russian attack on US technology company SolarWinds, which exploited security vulnerabilities in trusted technology products. 

SMEs are the engine of our society and unfortunately also the sore spot. It is all the more important that management recognises the risk and develops a good understanding of what it needs to protect and how much risk it wants to take. 

Important for the assessment is an independent evaluation of the cyber risk profile and the effectiveness of the current cyber security precautions in the company. Based on this, SMEs should invest in a cyber improvement programme and ensure they have access to the cyber skills they need, including independent third-party expert advice. 

What does the future hold for cyber security in SMEs? SMEs, especially growth companies, are potentially becoming real targets for attack as they expand. SMEs need to be more engaged in cyber security to effectively address the challenges in a timely manner. The Risk Management System (RMS) with all its processes needs to be rethought and implemented. Embedding a security culture in the company is the best protection against cyber threats and this needs to be exemplified from the top, top-down. 

Corporate IT in constant change 

Driven by technological change and entrepreneurial growth, many companies have the need to adapt their IT landscape and application environment to the new circumstances. Such adaptations almost always include changes to the underlying business processes as well as the introduction of new technologies, be it the replacement of legacy systems or the development/introduction of new software and applications (such as an ERP system), the outsourcing of the IT infrastructure to the cloud or the introduction of more complex topics such as blockchain technology or artificial intelligence. 

However, the modification of existing or the introduction of new IT systems is always associated with significant challenges. This applies both on a small and large scale and is to some extent independent of the type of project in question, although the risks increase in particular for medium-sized and large projects due to their increased complexity. 

Challenges in IT projects

The challenges in the implementation of IT projects consist first and foremost of the typical project risks such as schedule and budget overruns and quality risks. However, there are also other risks such as 

  • Risk of undesirable developments and non-fulfilment of requirements 
  • Gaps in information security and missing or inappropriate controls 
  • Migration risks 

Furthermore, when new processes and technologies are introduced, there is almost always uncertainty about the regulatory and legal requirements, which results in corresponding compliance risks. 

Possibilities of risk mitigation on the basis of IDW PS 850

A variety of project-related measures are possible to address these risks. Starting with classic project management activities such as the selection of a suitable project methodology, proper project planning and control as well as resource allocation, a clean requirements and quality management, up to appropriate testing and formal project acceptance. 

In addition, there is also the possibility of minimising project risks by involving an external, neutral authority that accompanies the project selectively for the acceptance of certain project milestones or for the entire duration of the project up to the final acceptance. 

The establishment of such a project-accompanying inspection by an external and neutral body offers the following opportunities: 

  • Early assurance that all requirements are taken into account in the specifications. 
  • Compliance requirements 
  • Compliance with relevant regularity requirements (e.g. balance sheet continuity) 
  • Security by design 
  • Adequate IT controls 
  • Coverage of requirements for future audits 
  • Neutral and independent assessment of project status (deliverables and milestones) 
  • Neutral and independent assessment of risks and measures during project implementation 
  • Additional quality assurance 
  • Overall acceptance of the project by an independent external body 

The procedure for such a project-accompanying audit is based on the auditing standard IDW PS 850 issued by the Institute of Public Auditors in Germany. This standard contains important specifications for auditing throughout the entire project life cycle: 

  • Project planning and organisation 
  • System design, development and test phases 
  • Data migration 
  • Rollout and go-live 

In addition, PS 850 also provides guidelines for the use of third-party examinations or audit results as well as for documentation and reporting. 

Conclusion

The early involvement of an external independent expert ensures compliance with the regularity requirements and balance sheet continuity, acts as a neutral authority for quality assurance and risk monitoring and may even serve as an institution for the acceptance of the overall project. 

The external auditing body can draw on experience from similar projects, provide valuable advice and recommendations for project implementation and thus significantly support the overall success of the project. 

Home office has been the policy solution since Covid-19 to minimise the spread of social distance in the workplace. In the past, working from a home office was unthinkable and had negative connotations. This is because the employer has little confidence in the employee. Self-discipline is a must here, as is the separation of work and private life. It can be seen that after the Corona pandemic, significantly more people are able to work on the move than before and want to keep it that way. Almost no one wants to go back to open-plan offices after Corona. New Work is the new buzzword. One could see that the productivity and work performance from the home office has not diminished, which is why many companies are more open to this topic. 

The growing interest in remote work also increases the temptation to move the home office abroad. However, certain regulations apply to a possible stay and the employer’s written consent is required. Within the EU, remote work is the least complicated. The reason for this is that no residence permit or work permit is required. Exceptions to this are third countries such as the United Kingdom. An A1 certificate is required so that social security contributions are not charged twice. With an A1 certificate, an employee proves that he/she is covered by social security in his/her home country during a business trip to another European country. This certificate is valid within the EU, the European Economic Area (EEA) and Switzerland. However, there is a social security challenge & risk for working from abroad. Here, the employer must familiarise himself with the social security regulations of the other country and implement the registration, reporting and contribution obligations correctly and on time. There is a risk of sanctions from the competent authorities if social security contributions are paid to the wrong social security system. 

In order to ensure that mobile working abroad can be legally regulated, a forward-looking plan should be drawn up together with the HR department and corresponding regulations, recorded in a supplementary agreement, should be made. If there are any concerns that the productivity or accessibility of the employee abroad will suffer, you can agree on a kind of test run. This does not apply to self-employed persons, as self-employed persons are freer to choose their workplace. 

In August 2021, around 40 companies in Berlin received mail from the Berlin Commissioner for Data Protection and Freedom of Information, Maja Smoltczyk, with a request to adapt the tracking on their websites to the data protection regulations. Enclosed is the corresponding press release. 

The GDPR clearly states: Website operators who want to track user behaviour with the help of cookies and other technologies need a legal basis. Many cookie banners on websites differentiate cookies, but often no effective consent is obtained. 

It must be easy for every user to refuse or consent to tracking. Tracking preferences to force consent are not legally compliant. 

The authority’s notice campaign was a first warning to selected companies. The responsible parties were requested to immediately design the data agreement in accordance with the GDPR requirements. A second examination of the websites of the companies reprimanded may result in measures by the authority. 

Seek competent advice on designing and auditing your cookie banners. Here are the most important requirements for a practical and data-saving opt-in procedure: 

  • Obtain consent only when necessary. 
  • Differentiate between different processing operations. 
  • If consent is required, the options should not be too extensive. The user should be able to make the settings according to his or her wishes with just a few clicks. 
  • The use of the website service should not depend on consent. 
  • The following applies to the module: easy to use, adapted to the user group and compatible with different end devices. 
  • All information on the processing of data must be transparent, easy to understand and neutrally designed. 
  • A data-saving default setting should be provided. 
  • The design must not distract the user from the essentials and manipulate the user into changing the settings. 
  • A data protection cockpit should enable subsequent management of the authorisations granted. 
  • Make the topic more understandable with icons and pictograms. 
  • Conclusion: Transparency in consent strengthens your trustworthiness. 

Finally, the standard contractual clauses are adapted to the GDPR and take into account the ECJ case law on the Privacy Shield.

Attention, all already concluded standard contractual clauses must be updated within 18 months, until 27 December 2022.  All newly concluded contracts must take into account the new standard contractual clauses from 29 September 2021.

How are the standard contractual clauses concluded in practice?

In practice, the standard contractual clauses are usually provided by service providers in these forms:

  • Individual contract – Especially when contracting with companies that do not work on a large scale for EU clients, the standard contractual clauses are provided in the form of a contract (usually as a PDF file), which is then signed or signed individually.
  • Part of T&Cs – Large US providers offer standard contractual clauses as parts of or attachments to their T&Cs, so that the standard contractual clauses are automatically concluded with the conclusion of the contract (example of the email platform MailChimp).

However, the conclusion of the standard contractual clauses alone is not sufficient. The level of data privacy must be examined in each individual case. For example, the ECJ and the data privacy supervisory authorities do not reject the transfer of data to third countries (e.g. USA), but would like to have the security checked.

  • Checking the text of the contract – you must check whether the correct standard contractual clauses have been chosen for the respective contractual constellation and whether their content has not been changed. You also need to check that the annexes have been properly completed.
  • Checking the actual level of data protection – You must also check whether the promises to provide an adequate level of data privacy are actually complied with. This means that you must check whether the risk of access to the data by US authorities, as described by the ECJ, is prevented. To ensure an adequate level of data privacy, e.g. encryption procedures, pseudonymisation, server location in the EU or also a low risk for the data of the data subjects contribute.

However, there are interpretation misunderstandings in the recitals of the new standard contractual clauses, contained in point 7:

The standard contractual clauses may only be used for such data transfers to the extent that the processing by the data importer does not fall within the scope of Regulation (EU) 2016/679.

This recital would mean that the standard contractual clauses would always not have to be concluded if, for example, a US Cloud service falls under the GDPR. This would be the case, for example, if Dropbox, Microsoft Cloud or Google Cloud were also aimed at EU citizens. If an EU company then stores customer data in this Cloud, for example, no standard contractual clauses could / would have to be concluded with Dropbox, Microsoft or Google. However, this result contradicts the wording of Art. 44 et seq. GDPR, which does not provide for such an exception in the case of processing in a third country. It is therefore to be hoped that the EU Commission will soon publish an interpretation aid for its erratic interpretation guidelines.

This means that you must become active and take the following measures:

  • Take stock in your own company – check whether data of customers, users, members, etc. are processed in third countries and especially in the USA (or by companies located in these countries).
  • Take stock of subcontractors – It must also be checked whether subcontractors and service providers, e.g. the web host or accounting service, use providers from third countries / USA (e.g. rent servers from Amazon Webservices).
  • Request for new standard contractual clauses – Third country providers must be asked to provide the new standard contractual clauses (alternatively, although less common, standard contractual clauses can be provided to them for review and signature). Similarly, subcontractors must be asked whether corresponding standard contractual clauses have in turn been concluded with their subcontractors in third countries (ideally, copies should be requested).
  • Request for security measures – The providers from third countries must be asked to name the security measures with which the special risks of the third-country transfer are mitigated (e.g. encryption, server location in the EU, pseudonymisation). Subcontractors must also be asked whether their subcontractors from third countries have provided evidence of corresponding security measures (ideally, they should also be asked to provide a list and copies of the confirmations).
  • Checking the standard contractual clauses – you must check that the modules of the standard contractual clauses are correctly selected, that their text has not been modified and that the annexes are properly completed.
  • Verification of the level of data privacy – You must verify, on the basis of the notified security measures, whether a sufficient level of data privacy is ensured for the respective processing of the data by service providers and subcontractors.
  • Logging – you must record the audit procedures for evidence purposes (e.g. in a table with providers, times of requests, results and justification of your audit result).

Recommendation

Even though the end of 2022 is still far in the future, you should urge your contractual partners to replace the standard contractual clauses as soon as possible. Especially because the new standard contractual clauses implement the demands of the data privacy supervisory authority to supplement the previous clauses as a result of the ECJ’s case law on US data transfers. It can therefore be assumed that supervisory authorities will very soon declare the use of US providers on the basis of old standard contractual clauses to be inadmissible.

The Federal Commissioners for Data Privacy and Freedom of Information (BfDI) published on 29.06.2021 that the European Commission will adopt the adequacy decisions for transfers of personal data to the United Kingdom under the General Data Privacy Regulation (GDPR) and the Law Enforcement Directive (LED) on 28.06.2021.

With the recognition of the adequate level of data privacy, data transfers from the European Economic Area (EEA) to the United Kingdom, within the scope of the Decisions, do not require a specific authorisation. The examination of whether the general data privacy requirements for a data transfer are met is necessary and must be carried out independently of this.