The Benefits of SOC Examinations for Blockchain
These days, blockchain providers find themselves in an interesting position—you have a revolutionary service to offer, but the market is still coming around to it. You need a way to validate your product so they will. Luckily, there is something you can do—you can take the initiative to acquire a SOC report.
Those in our devoted Crypto & Digital Trust practice have noted that some blockchain users in the industry have already made moves to leverage a SOC report and the insight it provides, and so have gotten ahead of their competitors.
The question now is, should you do so as well?
In this article, we’ll provide some insight to help you answer that—we’ll talk about the current market maturity of blockchain before providing 5 reasons why you, as a blockchain provider, should invest in SOC.
If blockchain really is the future, let us convince you how SOC can help improve yours.
The Current Market Status of Blockchain
Over the last seven years, we’ve all closely watched the emergence and development of blockchain technology for commercial business use. In that time, it has followed a trackable market lifecycle similar to that of other revolutionary tech:
- Technical Feasibility by Industry Trailblazers
- Promotion and Churn through the Technical Community
- Emergence of Initial Service Providers Establishing Backbone Code and Infrastructure
- Technical Collaboration and Joint Proofs of Concept
- Funding and Broader Application of Pilot Projects
- Roll-out of Operational Use Cases
- Emergence of Proprietary and Open-Source Market Leaders
- Consolidation and Normalization of Market Offerings Backed by Interoperable Standards
- Broad Market Impact Revolutionizing Use Cases
- Erosion of Market Due to a Competing Technology Evolving from Phase 1-9
Within this 10-step pattern, we believe that the blockchain market and the service providers of Web 3 / Web 5 are at Phase 6 with market trailblazers pushing into Phase 7.
Why? Because blockchain has:
- Proven itself to be robust and scalable.
- Demonstrated compelling digital trust attributes for its immutable data, network redundancy, and collaborative governance that are suitable for higher trust applications in FinTech, Healthcare, Digital Identity, and Supply Chain.
With these breakthroughs, the market is seeing an emerging explosion of service providers all touting that they have built a better mousetrap. That may very well be true, but as things progress fully into Phases 6 and 7, these same service providers will develop a critical need to demonstrate the legitimacy and accountability of these “mouse traps.”
Yet how to do that when Blockchain has yet to reach Phase 8 (at which point globally interoperable standards will be established)?
This is where SOC comes in—as the gold standard in compliance, an attestation report of this kind can pave the way to blockchain service provider prominence right now.
5 Reasons to Get SOC for Blockchain
Since 1992, Service Organization Controls (SOC) reports have been a mainstay of compliance, as this independent third-party attestation of internal technology controls creates a minimum standard of assurance that your customers and reliant parties need to satisfy their concerns over your security and trust claims.
But as is usually the case with compliance initiatives, SOC reports aren’t a trivial pursuit, so why should blockchain and Web 3 / Web 5 service providers invest in one? Are there compelling reasons for such organizations to undergo a SOC project?
In fact, there are five good reasons, and we’ll examine them here.
1. Process Transparency and Legitimacy
While the terms “blockchain” and “crypto” have already solidified themselves in the global vocabulary, most customer executives remain uneducated on what the technology is, how it functions and why its operations add trust in business applications.
Right now, there’s a gap of comfort between wanting to be into the next best thing and understanding its processes, but a SOC report requires you to provide narratives of your system processes and controls. You’re required to document:
- Types of services provided
- Principal service commitments and system requirements
- Components of the system
- Trust services criteria and corresponding controls
- Complementary user entity controls
- Complementary subservice organization controls
- System incidents
- Significant changes to the system during the period
Having to record these narratives will help bridge the gap of understanding while providing clarity and legitimacy regarding the underlying care the blockchain network takes in serving your users’ needs.
2. Accountable Control Maturity
Though SOC 1 examinations can be performed if the blockchain affects financial reporting, typically SOC 2 reigns as the more popular compliance option for service provider’s customers.
Moreover, SOC reports come in two types that can help you meet stated service commitments to customers:
- Type 1: Asserts and attests control design and implementation at a point in time; and
- Type 2: Asserts and attests control design, implementation, and operation over a period of time (3-12 months).
Many organizations opt for the Type 2 SOC 2 (if eventually, after a Type 1) for the added reassurance regarding operational controls. If that’s what you choose to do as a blockchain company, you’ll need to do the following if you want to obtain an unqualified (clean) audit opinion:
- Design your controls to meet generally accepted trust criteria (security, availability, process integrity, confidentiality, or privacy);
- Consistently meet these criteria for a sustained period.
In order to do so, you’ll not only need to ensure your controls work as designed, but you’ll also need to produce sufficient and compelling evidence proving that to impartial auditors. No easy task, but it will help legitimize your system.
3. First Option as Safe Harbor for Critical Applications
The promise of blockchain has the potential to drive right to the heart of vital infrastructure—this technology can assert the unchangeable records of:
- Currency transactions;
- Events in a supply chain; or
- High-value assets such as real estate titles and gemstones.
But before anyone trusts blockchain with the things most important to individuals and the collective, the security assurance of blockchain network players must be overwhelming to the pillars of our economy and government leadership.
If these are your potential customers, you should know that they’ve performed detailed risk assessments and have specific and high assurance requirements to preserve the security of their critical applications. A SOC report can be a conduit for meeting those stated requirements in a familiar format.
4. Consolidated Market Response and Assurance
SOC reports first came into being as a method to reduce the numerous requests from all your customers and their specific needs. Within the SOC brand, the AICPA created a standardized report that would best satisfy the most requested of those needs, and that’s still true regarding blockchain.
If you complete a SOC examination, you’ll receive one audit report that you’ll be able to distribute to all customers who request it, thereby reducing the disruption of multiple asks while also creating one consolidated voice for all your customers’ auditors. When you consider the alternative of full-time resources caretaking to all customers’ auditors, this one audit looks not only cost-effective but like an easier lift for your team.
Of course, you’ll need to take care as to who to trust with this singular response. Unfortunately, the proliferation of SOC reports across the business landscape has led to low-cost providers commoditizing the report to a checklist. But if you take care to engage a leading audit firm, you—and other major market players—will discern the difference.
5. Market Leadership Before Mass Competition
As we mentioned prior, there aren’t any generally accepted, blockchain-specific audit schemes in practice today. If you’re aiming to be a market leader, you don’t have time to wait for one.
Market innovators, such as crypto.com, Engiven, Bittrex, Zventus, Fireblocks, Brane, and AlphaPoint have already completed SOC projects and duly promoted the event in press releases and on their websites. When will you?
Build Trust in Blockchain with SOC
If you’re a blockchain service provider, you know that you’re sitting on something cutting-edge that can likely serve many potential customers. While you wait for the market lifecycle to catch up, you have an opportunity now to elevate your product and its legitimacy through compliance’s “Old Faithful”—the SOC standard.
Now that you understand why you should move forward with a SOC report for blockchain, read our other content that will break down the different aspects of this examination and simplify your experience:
- How Long Will Your SOC Examination Take?
- Shaping Your SOC 2: A Definitive Guide
- Which Big 4 Firm Should Perform Your SOC Audit?
Of course, you may have specific organizational questions, and if that’s the case, we encourage you to reach out to our crypto and digital trust practice leaders, who would be happy to address any further concerns you may have.
About Scott Perry
Scott Perry is a Principal at Schellman where he heads up its crypto and digital trust services practice. Prior to joining Schellman in 2022, Scott owned and operated his own firm specializing in cybersecurity consulting audits and governance, GRC implementation, digital identity and verifiable credentials, and WebTrust. Scott is also a Steering Committee member and co-Chairs the Governance Stack Working Group for the Trust Over IP Foundation (a Linux Foundation project). Scott has worked with the world's most respected SSL-certificate issuers, aerospace and defense companies, and government agencies. He has authored and contributed to a comprehensive governance and trust assurance methodology suite for Trust Over IP, has written a key chapter on Trust Assurance in a published book on Self Sovereign Identity and the FinClusive Rulebook. As a hands-on crypto and cybersecurity consultant and auditor, Scott provides deep and impactful advice that you would expect from a leader in the field.