A strategic investment in security and trust: Dancerace secures SOC 1 and SOC 2 accreditation

Today, the average cost of a data breach in the financial sector has climbed to $5.72 million, underscoring the severe economic impact of these threats (Deloitte, 2023 Global Cyber Executive Briefing: The threat landscape and what you can do about it).

As the threat landscape has intensified, the commercial risk has increased significantly – particularly for banks and lenders. In today's evolving digital landscape, security and regulatory compliance are paramount for finance businesses.

As Head of Security and Operations at Dancerace, it’s my role to ensure we’re consistently focused on implementing up-to-date systems and processes to keep our lenders and their borrowers safe. As part of this, we have recently secured SOC 1 Type 2 and SOC 2 Type 2 status, to complement our ISO 27001 accreditation.

What is a SOC report?

A SOC (System and Organisation Controls) report is a comprehensive audit report that evaluates an organisation’s systems and processes, focusing on controls related to information security, data privacy and financial reporting. These reports are typically divided into three main types: SOC 1, SOC 2, and SOC 3.

SOC 1 reports focus on financial reporting controls, ensuring that processes and systems are accurate and reliable. This report is designed for service organisations that affect their clients’ financial statements. It assesses the effectiveness of internal controls over financial reporting.

SOC 2 reports are applicable across a wider range of industries, covering security, availability, processing integrity, confidentiality, and privacy controls. SOC 2 reports dive into IT and security controls and are particularly relevant for companies that handle sensitive data, as they ensure that proper safeguards are in place to protect that data.

SOC 3 reports are similar to SOC 2 but intended for non-specialist readers. SOC 3 reports provide a high-level overview of an organisation’s controls without diving into the detailed testing results. It’s often used as a marketing tool to demonstrate an organisation’s commitment to security and data protection.

Dancerace already has ISO 27001 accreditation. Why invest in SOC 1 and SOC 2, too?

Dancerace has had ISO 27001 accreditation in place for several years.

While ISO 27001 and SOC audits have considerable overlap, there is one significant difference: ISO 27001 focuses on a point-in-time audit. SOC Type 2 audits are conducted over an extended period of time— three months or more — to provide a comprehensive view of an organisation's ongoing practices and controls.

In simpler terms: a SOC report gives our current and future clients a detailed, third party-verified assurance that our systems, processes, and financial reporting are not only secure but consistent and reliable.

ISO 27001 is an international standard for managing information security. It provides a framework for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). The goal of ISO 27001 is to ensure that organisations manage their information security risks effectively, to safeguard the confidentiality, integrity, and availability of data.

Unlike SOC reports, which focus on specific areas like financial controls or IT security over an extended period of time, ISO 27001 provides a comprehensive, point-in-time assessment of an organisation’s information security practices. This standard is recognised globally and is often the baseline requirement for organisations looking to demonstrate their commitment to information security.

For Dancerace, ISO 27001 acts as the foundation upon which we’ve built our SOC compliance. Given the high level of overlap between the requirements of ISO 27001 and SOC 2, we were able to leverage our existing ISO framework to achieve SOC accreditation. Integrating ISO this way allows us to meet the information security demands of our global clients and navigate different regulatory landscapes in Europe, Australia, and the U.S.

Why now?

Our decision to invest in SOC reporting stems from changing client demands and increasing regulation around financial services worldwide.

This move towards heightened regulation has been driven – in part –  by the changing threat landscape across cybersecurity, outsourcing practices and digital resilience. There has been a significant shift in the last decade across Europe and beyond, particularly with the introduction of guidelines from the European Banking Authority (EBA) and the upcoming Digital Operational Resilience Act (DORA). These regulations emphasize the importance of cybersecurity, outsourcing practices, and overall digital resilience.

Initially, it was our clients who requested ISO 27001 accreditation—a common, international standard for information security management. However, our presence in markets where investment in SOC reporting is critical, such as Australia, New Zealand and the US, meant the need for SOC 1 Type 2 and SOC 2 Type 2 accreditation was increasingly apparent.

Achieving SOC accreditation has become a contractual requirement for many of our banking clients. This increased security demand aligns with our ongoing strategic goal of bolstering our security posture, both for compliance and maintaining key client relationships.

This way, implementing SOC reporting was a necessary step to meet current and future regulatory demands, to ensure we remain a trusted partner to our clients.

What value does SOC accreditation offer our lenders?

SOC provides elevated assurance to lenders that our financial reporting processes (SOC 1) and IT security controls (SOC 2) meet their rigorous standards. This assurance is crucial for building trust with our clients, who can be confident that our systems are secure, our processes are reliable, and that Dancerace is committed to continual improvement.

SOC accreditation reduces our clients' audit and insurance costs. By having an external accredited auditor validate Dancerace’s controls, our clients can demonstrate to regulators that their risk is managed properly.

Achieving SOC 1 Type 2 and SOC 2 Type 2 alongside ISO 27001 positions us competitively in the market. This dual accreditation is not just a "tick the box" exercise to meet regulatory requirements; it is a strategic investment in our reputation and securing our position as a trusted partner in the financial services industry.

By continually investing in info security accreditation, Dancerace demonstrates our dedication to maintaining the highest standards of security, compliance, and operational excellence. This approach allows us to meet market demands today and strengthens Dancerace for the future, to ensure we can continue to deliver reliable, secure, and innovative software to banks and lenders worldwide.