Regulators, investors, and boards of directors are increasingly demanding information about companies’ cybersecurity risk management. Consequently, companies are increasingly requesting voluntary third-party cybersecurity assurance services. In response to this demand, the American Institute of Certified Public Accountants (AICPA) offers a System and Organization Controls (SOC) for Cybersecurity assurance service. However, SOC for Cybersecurity faces competition from less comprehensive and less costly assurance services in a nonstandardized assurance market, and it is unclear if investors will recognize the value provided by the more comprehensive service. This article summarizes a study examining how investors perceive SOC for Cybersecurity (Perols 2024). The study finds that investors indeed value more comprehensive third-party cybersecurity assurance services when voluntarily disclosed in response to a reported cybersecurity incident but not when the SOC for Cybersecurity is proactively disclosed by management in the absence of a cybersecurity incident. This article highlights implications for audit practitioners, companies, and regulators.

Keywords:
voluntary disclosure, risk management, system and organization controls, cybersecurity risk management program, assurance services, nonaudit services, audit quality, information security, cybersecurity incident, SOC
This content is only available via PDF.
2025