Assessing Vendor Cybersecurity Risks: Which Approach Is Best?

Event ID:68934

Choose Option

Please Select an Option
On-Demand (OD)     $299.00
Duration: 90 minutes, including question and answer period.
Presenter(s): Gary Deutsch, CPA, president, BRT Publications, LLC
$299.00, On-Demand includes full audio presentation, question and answer session, and presentation slides. 
Who Should Attend? Internal auditors, risk managers, contracting officers, IT officers, legal counsel, operations officers, compliance officers, persons responsible for third-party due diligence

As cybersecurity risks grow, so does exposure to customer data breaches through outsourced vendor relationships. To protect against outsourced risks, institutions have relied on CPA prepared SOC 2 reports to provide insight into cybersecurity controls that vendors have in place. As a result, SOC 2 reports have become the most requested document from third-party vendors. CPAs use guidance from the AICPA’s SOC for Cybersecurity examination methods to ensure that SOC 2 reports consider current cyber risks. CPA information systems auditors are independent, objective professionals that attest to the design of information security controls (in a SOC 2 Type I) and the design and operation of information security controls (in a SOC 2 Type II). Vendors must prove to CPAs that they have appropriate controls in place.

That said, there are a growing number of alternatives to SOC 2 reports that address vendor cybersecurity risks. Some say that the alternatives may be more comprehensive than the SOC 2 report. Others claim that the alternative methods rely too much on canned checklists. However, as cybersecurity risk grow, the need for risk assessments has expanded to meet market conditions. Now that institutions are considering some of these alternatives to SOC 2 reports, it’s time to review the potential use cases for some of the more popular assessment methods. For instance, the Shared Assessments Organization has a Standard Information Gathering (SIG) questionnaire that is being used as an alternative to the SOC 2 report. Is the SIG questionnaire a good SOC 2 alternative or is it better used as a supplement to the SOC 2 report? How about engaging a CPA to perform an Agreed Upon Procedures review instead of completing a SOC 2 report? Should institutions consider an ISO 27001 audit instead of a SOC 2 report?

As the list of alternative vendor cybersecurity assessment methods grows, institutions need to determine what method or methods will provide the best insight into the adequacy of vendor cybersecurity controls. Please join Gary Deutsch, CPA, CIA, CBA, CMA, MBA for this important webinar which is focused on assisting vendor risk managers and auditors with understanding the benefits and pitfalls related to the growing list of cybersecurity risk assessment methods.


This webinar will cover the following:

  • Understand how the purpose for vendor cybersecurity risk assessments impacts the method used to conduct the assessment
  • Methods for deciding which assessment programs to request from a vendor if the vendor has not engaged a CPA to prepare a SOC 2 report
  • Considerations for vendors that only agree to have a SOC 2 Type I report prepared
  • What popular alternative cybersecurity assessment programs to consider and why



Your conference leader for “Assessing Vendor Cybersecurity Risks: Which Approach Is Best?” is Gary Deutsch, president, BRT Publications LLC. Mr. Deutsch is a licensed CPA in Maryland and has a B.A. in accounting and an MBA in finance from Loyola University Maryland. He has also achieved the Certified Management Accountant, Certified Internal Auditor and Certified Bank Auditor designations. Mr. Deutsch is the founder and president of BRT Publications LLC. Mr. Deutsch has trained thousands of financial institution professionals in all aspects of risk management and has written numerous books in the U.S. and Europe on topics such as credit risk, internal audit and compliance with Generally Accepted Accounting Principles. Mr. Deutsch has extensive risk management and internal audit experience through his association with financial institutions of all sizes as well as through his role leading the KPMG financial institution consulting practice in the Mid-Atlantic region. QUALITY COMMITMENT

BankersWEB, a division of DKG Media, LP, wants you to be satisfied with your webinar. If this webinar does not meet your expectations, email us at


BankersWEB certificates of participation are available to everyone completing this webinar.