There is no doubt that the COVID-19 pandemic has had a great impact on many relocation management companies’ compliance with System and Organization Controls (SOC). In fact, data privacy trends have played a heavy role in shaping the future of data privacy and protection for companies everywhere. These trends were further accelerated by the pandemic.
Information and data security should be a big concern for all types of organizations. Even more so for those companies that outsource major business operations to third-party vendors. Almost all corporate relocation companies fall into this category. To ensure the private information of their transferees is protected, companies often look to established and trusted security standards, such as SOC 2. SOC 2 is a great auditing procedure system that helps manage data and make sure vendors have the internal controls to secure their customers’ data.
What is SOC 2?
SOC 2 was developed by the American Institute of Certified Public Accountants (AICPA) as an auditing procedure to help ensure that service providers manage your data securely. It sets up criteria for being able to manage data in a customer-related system. SOC 2 uses five areas of focus, or trust service principles, during an audit of an organization’s internal controls: security, availability, processing integrity, confidentiality, and privacy.
The reports that it can produce are unique to each organization. These internal reports give insight into important information about how service providers are managing data. These reports also include regulators, suppliers, business partners, etc.
There are two types of reports that SOC 2 can spin up:
- Type 1 describes a vendor’s system and how its design is suitable to meet trust service principles as of a specified date
- Type 2 details the operational effectiveness of each system throughout a disclosed period of time
It is easier for companies to obtain a Type 1 report, which is why a majority of relocation companies forgo the specialized Type 2 report.
How to Get a SOC 2 Report
Many companies have complex IT systems, so it would be extremely time-consuming to provide each vendor or client with a specific answer as to how their data is safeguarded. In fact, some organizations may not have airtight systems and processes in place that are capable of protecting their data. That’s why selecting a trusted CPA firm as an objective third-party auditor to perform a SOC 2 report can help. This CPA firm should be able to put together a thorough report to provide answers to common questions asked by organizations related to availability, processing, confidentiality, security, and privacy.
When selecting a firm to help with your SOC 2 report, be sure to inquire about the firms’ CPAs’ experience with IT. You’ll want to verify that they have IT auditors, not just financial audit CPAs. It is also a good idea to ask about certifications, CISA and CISSP are two that should stand out right away.
Why Does SOC 2 Matter for Relocation Management Companies?
When working with a Relocation Management Company (RMC), personal information needs to be exchanged to ensure the timely and accurate delivery of services and household goods.
Because RMCs work with so many third-party vendors, it’s important to be transparent about data and security measures. Countless suppliers have potential access to your employees’ personal data, including real estate agents, loan officers, moving companies, trucking companies, storage facilities, destination service providers, and more. A SOC 2 report is a powerful tool that RMCs can utilize to verify their compliance with internal controls standards, as well as assuring clients and employees that their personal data is being managed safely.
Every RMC has an obligation to make every effort to limit the collection of and access to the personal information of transferees during the relocation process. However, this offers minimal assurance that your relocation program and your network of providers are truly compliant with SOC standards.
SOC and Relocation Programs: 3 Key Areas of Concern
The truth is that many RMCs have struggled, or are still struggling, to pivot to suitable security solutions to manage vital operations and protocols. Three (3) key areas of concern include:
Third-Party Involvement
Whether your relocation program is managed by an RMC or in-house teams, a network of partners is needed to support the delivery of select services. This comes with a responsibility to protect the information of clients, their transferees, and the employees’ families across the network of partners utilized in the relocation process.
For example: When scheduling the pack and load of an employee’s property for a household goods shipment, the relocating employee’s name, address, and contact information are critical pieces of information needed by both the relocation management company and the supplier. This data is used for timely and accurate service delivery.
The need for downstream compliance and risk mitigation will continue to be an area of focus for several years. Each cog in the relocation wheel must be held to the highest compliance standards. You should expect and require nothing less.
Increased Risk of Cyber Attacks Requires System and Organization Controls
In today’s work from anywhere environment, the number of remote employees and external devices accessing company networks has increased dramatically, leading to larger threats in the cybersecurity arena. Remote staff often rely heavily on Virtual Private Network (VPN) gateways to provide encrypted network access. Despite these types of preventative measures, cyber attackers continue to seek opportunities and methods to breach security defenses.
Few Relocation Management Companies Undergo SOC Audits
In the relocation industry, this is a serious issue; an estimated 75% of RMCs do not have vetted or verified SOC credentials. With the amount of sensitive information these organizations may collect, each relocation management company has a responsibility to demonstrate that they have the systems, controls, and processes in place to protect their clients and their transferees from unnecessary risks. In an increasingly connected world, the mobility industry must adapt to manage these risks and the threats they introduce.
Conclusion
Whether you are working with a relocation management company today or managing your mobility program in-house, you should ask these two fundamental questions:
- Has there been a demonstrated investment in data privacy and protection for your mobility program in the last 6 months?
- Is your organization or your relocation provider currently compliant with the trust services principles set forth within a SOC 2 certification?
If you answered “No” to either question, it is time to reconsider your existing data security and compliance standards. Global Mobility Solutions (GMS) is one of the few relocation companies that is SOC 2 certified. Contact GMS now to learn more about how we protect your information and data in your relocation management program, or give us a call at 800.617.1904 or 480.922.0700 today.
We're Here to Help! Request a Courtesy Consultation
Are you ready to talk to a Mobility Pro? Learn how GMS can optimize your mobility program, enhance your policies to meet today’s unique challenges, receive an in-depth industry benchmark, or simply ask us a question. Your Mobility Pro will be in touch within 1 business day for a no-pressure, courtesy consultation.
