SOC 2

• This certification developed by the American Institute of CPAs (AICPA) was designed specifically for companies providing services through the cloud and who store customer data.
•  Before 2014, these companies only had to meet SOC 1 (SSAE 16) compliance requirements.
• Since then, technology companies are now expected to be SOC 2 compliant, most importantly when they use the Cloud to store customer data.
• This is usually the case in the Software as a Service (SaaS) sector.
• However, the SOC 2 attestation is completely voluntary, but companies that have it are more trustworthy.
• It applies to all companies that use the Cloud to process and store customer data and has been developed in response to increasing concerns over data privacy and security. 
• Any service provider handling sensitive customer data should have to be SOC2 compliant as well as their sub-contractors.
• Industries that need to be SOC 2 compliant include Cloud computing , IT security management, and Software-as-a-Service (SaaS) vendors.

When to Conduct the Audit

• Most startups conduct this audit when they reach their B or C round of funding.
• This SOC2 audit should be conducted every year.

SOC 2 Type I

• SOC 2 Type I reports are audits that are conducted the first time by an organization. 
• The cost is expected to be from $20,000. 

SOC 2 Type II

• SOC 2 Type II certifications are harder to obtain and more expensive.
• SOC 2 Type II compliance might become compulsory, starting with financial services.  
• This certification can cost from $30,000 to over $100,000, depending on the complexity.
• These are annual audits. 

SaaS Companies

• There are between 8,165 and 10,105 SaaS companies in the U.S.
• SaaS companies in the United States typically undertake SOC 2 Type 1 and SOC 2 Type 2 audits.
• Demand for SOC 2 audits is increasing as the number of companies that store customer data grows. 

Estimate

• Given that there is a lack of data linked directly to the size of the SOC 2 market in the U.S., we can provide some estimates using the statistics gathered such as the number of SaaS companies in the U.S. and the cost of these SOC 2 audits.
• If we assume that most of the SaaS companies in the U.S. conduct SOC 2 audits, we can use a percentage close to 75%, and we can also assume that the cost would be between $20,000 and $100,000.
• We can assume an average of 9,000 SaaS companies in the U.S.
• In this case we will use the average which is $60,000.
• Therefore, we can assume that the total estimated SOC 2 spend in the U.S. every year would be (75%*9,000)*60,000 =405,000,000.
• The total would be estimated at $405 million.