> These are starting points only: customers are responsible for reviewing, modifying, and finalizing their own materials. Draft templates are not the same as “pre-filled evidence.”
Yeah, ok. BRB to start a bank where I template everyone a billion dollars, its up to you to be honest with how much money you have.
To me this is the money shot (but it takes a couple of passes to understand):
> No small amount of criticism of LLMs is downstream of past decisions to reify form over function, resulting in the substance having been optimized out. Now the LLM threatens to make the form available in seconds
None of their ISO 27001 certificates, aside from the premium one-offs with the vCISO, are accredited by any reputable ISO accreditation body. I would even argue that IAS, who accredited Prescient Security (mentioned as a reputable body in the article), has a questionable reputation and certainly gives off a pay-to-play impression.
You can look up the names of their partners below. The one body I found that is on the register (Accorp) is accredited by UAF, a known cert-mill accreditation body, and I’m not even sure it’s the same Accorp that Delve has partnered with.
For reference, you want a ISO certificate issued by a body accredited by UKAS (UK gov. adjacent non-profit), ANAB (ANSI), or equivalent, all government-recognised. This is normally the first thing I check whenever someone claims ISO 27001 certification and it is a great heuristic to validate certification rigour.
wow! they confirmed it in the last paragraph. "we are investigating possible leaks", not "we have filed a libel suit". A leak means an insider spilled the beans
"Below are just some of the many inaccuracies in the story and then the truth."
"[G]iven how competitive this industry is, attacks like this sadly come with the territory."
"We are actively investigating any leaks and are still reviewing the Substack. If there are more attacks to respond to we will do so."
When you have a PR problem, you don't hire your marketing intern to write the response. You hire a PR consultant. Their funders' Rolodexes are probably full of them. If the Board approved the response, I'd be frankly shocked.
There's a deep lack of accountability here for their marketing statements. For example, "get SOC 2 compliant in days," which I would consider to be false advertising.
That, plus their willingness to arrange an essentially fraudulent auditor network (try to find who the real CPA is behind Accorp, for example), and also massively upcharge the prices of the SOC reports that they offered as a bundled service within the platform. There was no separation here. Del is the transfer agent. Del was always the intermediary and the transfer agent. There is no independence in their default auditor relationships.
At very best, this is a massive AICPA transgression.
At worst, blatant fraud.
I would wager that discovery would show the latter.
This basically boils down to, "Sure, we recommended you work with scammy low-quality auditors, but if you actually use them it's your own fault... we're just an automation tool!"
In other words, I'm reading this as effectively a full admission that the claims are true but the company is saying not their responsibility.
Where does it say we recommend you work with scammy low-quality auditors? They say that they use third party audit firms that are used by other compliance companies.
This is clearly false from what I've seen. If you read the source Substack article and look through the list of auditors they have, it is impossible to trace down who the US-based CPA is that's issuing the report. These firms, for all intents and purposes, do not really exist. They use shell addresses in Wyoming and Texas that are registered agent offices, etc.
But really all you have to do is look at the reports themselves. They are so shoddily written that it's hard to believe any legitimate firm would issue them. If you Ctrl F for Clueley in this thread, you will see my comment with a sample excerpt from the assertion of management for one of their reports.
Present assurance definitely exists in the US. Outside of delve, I have seen their reports for vanta and it’s the same. it was 95% policy inspections and 5% loooked at a GRC tool.
I assume you mean this "Prescient Assurance? As detailed in this section of the post?
6.7 Misled auditor - Prescient
With this conclusion:
Looking at that report, there are clear signs that Delve either knowingly misled Prescient, or that Prescient accommodated Delve’s deficient process. Given their reputation and by the small number of Delve/Prescient reports out there, I’m assuming it is the former.
I've used Prescient in the past and found them on par with others. Policy evidence is at most about 30%. Everything else is show-don't-tell. Either live screen shares, screenshots, non-policy documentation, or evidence from a shared vendor that's integrated into the environments and security tools (like Drata).
reply