Successfully Marketing Your SOC Report
Underutilized benefit of SOC reporting
- What are the benefits of a SOC report other than to satisfy our customer contractual requirements?
- How can I further leverage my SOC report for marketing purposes?
Using SOC reports as strategic part of your marketing program
“We are about to receive our annual SOC 1 and/or SOC 2 report! Now, how do I market it”
Outside of building your stakeholders’ trust and establishing competitive advantage, a SOC report will assure your clients that you are meeting their contractual and reputational expectations. Many organizations view the SOC report as just meeting their stakeholders’ regulatory requirements like GDPR or HIPAA, or just fulfilling an important aspect of a vendor risk management program. We recommend you think bigger and broader than simply checking a compliance box with the SOC report.
If your organization has made the investment of time and resources to engage an independent CPA firm like AARC-360 to perform your SOC audits, you will have additional credibility in your marketing claims. You gain the ability to assure stakeholders that your security, privacy, confidentiality, availability, and processing integrity system requirements and commitments have been rigorously tested and met.
Here are best practice recommendations to fully leverage the investment you have made to use the SOC reporting process as part of your organizational marketing program:
- Issue a press release: Achieving your SOC report is a big accomplishment and one that should be highlighted. Work with your PR team to craft an official release to post to media outlets, and the official News section of your website. AARC-360 has examples we can share with you of ready to post press releases and include the appropriate references to the auditor.
- Advertise year-round on your organization’s website: Place the official American Institute of Public Accountants (AICPA) SOC 2 seal on your website. This seal is a constant reminder to current or prospective customers who visit your site that you are a controls-conscious organization. If you don’t have a dedicated security page on your site, we recommend adding the symbol to your home page. The actual complete SOC 1 and SOC 2 reports are only shared with stakeholders that you are currently in business with and/or have an understanding of the system and the basis for the SOC report, but you can still advertise that you have such a report on your public-facing website for prospective customers to know what to expect when working with your organization and what to ask for.
- Use Social Media: Work with your marketing team on an announcement that your organization and our organization will both post to your LinkedIn sites; AARC-360 can provide a template to help post an announcement of SOC report. Make sure you leverage your team to help get the word out via liking and re-posting the release to broaden your follower count.
- Email Campaigns: Email may be an oldie, but it is a technique that has proven the test of time. Create a post as part of a regular customer communication like a periodic newsletter, or create a custom email blast announcement. If you have case studies provided by your clients, include them with the campaign. Be sure to focus on the customer and how you take the handling of their business transactions and confidential information seriously.
- Add a SOC 3 to your compliance portfolio: Want to take the marketing of your SOC 2 a step further? Ask for a SOC 3 Report. The SOC 3 is an abridged version of the SOC 2 that you can post and make readily available to prospects in the market to underscore your system requirements and commitments. (Note: SOC 3 is only available when performed in conjunction with a SOC 2, and covers the same period, scope and results as the complementary SOC 2. The SOC 3 is not available to complement a SOC 1).