Information security compliance had a big year in 2020. When the pandemic lock downs came into effect, it put remote working practices to the test. The shift to cloud services and software was already happening, and accelerated significantly.
The increased use of existing and new technology services raised questions about the information security of those services. And 'InfoSec' compliance, like SOC 2 and ISO 27001, answered the call.
InfoSec compliance falls into discretionary spend. Like many other business services, it was put under the microscope in 2020 and in a lot of cases was put on hold with the economic uncertainty from the pandemic. The rate of growth next year is expected to be even higher in 2021 - with five key drivers playing a role in the growth of InfoSec compliance:
1. Open Banking and the Consumer Data Right (CDR)
After going live on 1 July 2020 for the big 4 banks, many tech startups were left disappointed by the complexity, cost and uncertainty of the accreditation process for the CDR. With an ongoing push to open up the market for new innovative tech services, we’re expecting to see further developments in this space to simplify the process. A key requirement to become accredited is an audited SOC report, which may follow the SOC 1, SOC 2 or ASAE 3150 reporting standards. We're expecting to see many more of these completed in 2021 for aspiring CDR data recipients.
What is Open Banking? Read our Open Banking summary post.
2. Regulators have put Australia’s banks and large FI’s on notice for cybersecurity
Attention from the regulators is nothing new to the banks and other financial institutions ('FI's'). New regulations go through stages; starting as topics for consultation, turning into guidance papers, then into enforceable standards. There's usually a grace period or phased transition approach, before they finally they become enforced. With the urgent focus on Australia’s cybersecurity from a national interest perspective, regulators have put the banks on notice. In addition to suggesting minimal tolerance for non-compliance with existing information security compliance, new expectations have been raised including independent penetration testing of their systems. This pushes the needle on information security for those regulated businesses, but also for all their suppliers that play a role in protecting their information security, directly or indirectly.
Read more about these developments in the AFR; Banks ordered to simulate cyber attacks.
3. Heightened risks of remote working and cloud services
The continued, and accelerated shift to remote working and the use of cloud services, raises the risk profile for enterprise businesses. Traditionally, information security was focused on protecting the security of physical offices, the internal networks and systems developed in-house. There's a more distributed nature of working practices and more diverse systems and services used. It's near impossible for large organisations to stay on top of the breadth and depth of all the security measures without a standardised means for information security compliance. This is prompting enterprises with thousands of third-party services, to require SOC 2 and ISO 27001 reports with independent external audits, even in some cases where no sensitive data is collected or processed (directly).
4. Contract renewals triggering CPS 234
The CPS 234 regulation introduced in July 2019 is a game-changer for how regulated financial institutions need to manage their information assets including third-party services. The regulation formally comes into effect for third-party providers to regulated FI's at the next contract renewal date or a maximum of 3 years following the introduction of the regulation. This will continue to see SOC 2 reporting requirements imposed when these contracts are renewed. Perhaps more importantly, regardless of the next contract renewal the latest date is quickly approaching and the regulators have put regulated FI’s on notice.
5. The ‘enough is enough’ mindset
The general attitude towards information security compliance is; “do we really need to do it?”. In combination with the above drivers, the pain involved in completing due diligence questionnaires, and the increasing security threat environment, CXO’s are saying ‘enough is enough’ - let’s bite the bullet and get it done. The advantage of doing it earlier is standing out from peers. In the US market it’s the laggards completing their first SOC 2 or ISO 27001 certifications, while Australia has a window to position as being 'ahead of the curve'.
After a major year of growth in 2020, next year is looking likely to take it to a whole new level for SOC 1, SOC 2 and ISO 27001. Third-party service providers, like B2B software as a service businesses, are increasingly pressured into providing these certifications. Without them, their enterprise customers struggle to demonstrate their own compliance, and may look to other service providers that can meet those requirements. If the leading US market is anything to go by; we may see almost all B2B SaaS providers with SOC 2 and/or ISO 27001 certifications in the next 3-5 years.