The key problem is the audits and the auditors. I have independently verified for our vendors that they have the same templated SOC2 as all of the leaked reports, which is concerning because that shows the auditors did not actually validate the controls.

SOC2 is supposed to give you an INDEPENDENT evaluation of the compliance of a company "are they doing what they say they are"

If the SOC2 report is just a pre-populated template, it is meaningless.

It doesn't really matter the motivation of the "DeepDelver" - this has implications across all companies that rely on these vendors that have been "assessed" by Delve.