When institutional investors entrust data to a trading platform, they must be confident it is securely and privately stored and available when needed. Due diligence demands scrutiny of third-party infrastructure and software to ensure it conforms to security, privacy, and availability standards. Otherwise, investors may face significant risks, including the risk of regulatory compliance failures.

But scrutiny of third-party infrastructure is not a straightforward matter. Many investors lack the technical expertise, and thoroughly scrutinizing an evolving technology platform is time-consuming. Plus, platform providers seeking to protect their intellectual property may not provide transparent access to proprietary systems.

A SOC 2 audit is an excellent solution to these problems. SOC 2 audits are conducted by a licensed CPA firm with expertise in information security. They issue a report that attests the relevant systems conform to information security standards. When an investor is considering the suitability of a trading platform or service provider, a SOC 2 report may significantly accelerate due diligence by providing the reassurance that platform users need to fulfill risk assessment requirements.

Portfolio margin accounts are intended to overcome this shortcoming by basing margin requirements on the total calculated risk posed by the portfolio. A lower risk allows a broker to extend more credit than a higher risk, and a hedged position will have a lower margin requirement than a more risky position.

What is SOC 2 Compliance?

SOC (Service Organization Control) 2 is an auditing framework for organizations that store and process information on behalf of other organizations. It focuses on internal controls relevant to client and customer data. SOC 2 was developed by the American Institute of Certified Public Accountants, and only a licensed Certified Public Accountant (CPA) can issue a SOC 2 report. SOC 2 audits are conducted by CPA firms that specialize in information security.

A SOC 2 audit is a thorough and lengthy examination of internal controls. Unlike a SOC 1 audit, which focuses on controls relevant to financial reporting, SOC 2 focuses on a broad range of controls pertinent to privacy, security, and availability, as we’ll discuss further in the next section.

The details differ depending on the audit’s scope and the systems under consideration, but in all cases, a service organization’s management provides an assertion concerning internal controls. The auditor examines those controls and relevant documentation, producing a report that attests to the fairness and accuracy of the management assertion. The report also includes an overview of the system and the results of the control tests.

The SOC 2 Trust Services Criteria

The Trust Services Criteria are control criteria used to evaluate and report on internal controls during a SOC 2 audit. In short, the criteria describe the type and nature of the controls that an organization must implement to be SOC 2 compliant.

The Trust Service Criteria comprise five broad categories: security, availability, processing integrity, confidentiality, and privacy. Organizations undergoing an audit can limit the audit’s scope to specific categories, but all SOC 2 audits must include criteria in the security category, which are called the common criteria.

The security criteria focus on access controls and other security risks, while the privacy criteria govern the protection and handling of sensitive information. The confidentiality criteria ensure that an organization can correctly identify and protect confidential information. Processing integrity, which is particularly important to financial organizations, relates to accurate and timely information processing. Finally, availability criteria require information and services to be available to meet the entity’s objectives.

Each category includes dozens of individual criteria. For example, one control criterion in the security catalogs is “remediates identified vulnerabilities.” The auditor’s role is to ensure that the organization has implemented suitable controls to identify and remediate security vulnerabilities.

SOC 2, Financial Services, and Due Diligence

SOC 2 compliance greatly simplifies due diligence and gives investors and brokers confidence that their data is stored and processed according to trusted standards backed by AICPA. That’s why the SpiderRock Platform is SOC 2 compliant.

Regulatory compliance is a concern of any organization that trades on the securities markets or offers financial services. The SpiderRock platform also provides tools and services to help our clients maintain regulatory compliance. Our Trading Compliance Layer supports a wide range of compliance requirements, including the ability to embed compliance records in the SpiderRock Storage Engine (SRSE) MySQL API, including start-of-day positions, done away trades, stock locations, and restricted lists.