A follow-up to our three-part series on the U.S. Department of Labor’s “Cybersecurity Guidance for Plan Sponsors, Plan Fiduciaries, Record Keepers, Plan Participants.”
In April 2021, the Department of Labor’s (DOL) Employee Benefits Security Administrations (EBSA) announced cybersecurity guidance for retirement plans subject to the Employee Retirement Income Security Act (ERISA) of 1974 . In our three-part series, we covered each of the three forms of guidance for plan sponsors, plan fiduciaries, record keepers, and plan participants:
Tips for hiring a service provider – To help plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices as required by ERISA
Online security tips – To help participants and beneficiaries reduce the risk of fraud and loss when checking their retirement accounts online.
A key point expressed in the first two articles in the series was a recommendation that plan sponsors implement a third-party risk management program. To facilitate the process, we recommend you choose to work with a service provider that has a cybersecurity program and undergoes an annual independent program audit. Moreover, we recommend that you request and review the audit reports to ensure your service provider’s security mechanism is working effectively and meeting the demands of DOL’s cybersecurity best practices. And to accomplish all of the above, we recommend you use SOC reports.
SOC 2 reports
SOC 2 reports have established a framework for reporting on many of the best practices outlined in the DOL guidance. By understanding where to look in an SOC 2 report you can determine whether or not the service provider is meeting these demands. Note, however, that the reports are not a check-the-box exercise, and simply collecting them from your service providers offers little risk mitigation. For more information on SOC 2 reports, click here.
An SOC 2 report can include five Trust Service Criteria: Security, Availability, Confidentiality, Privacy, and Processing Integrity. The Security criterion is mandatory; the others are optional. The Security criterion is broken down into nine Common Criteria (CC):
Have a formal, well-documented cybersecurity program: CC1/ CC2/ inherent throughout report
Conduct prudent annual risk assessments: CC3
Have a reliable annual third-party audit of security controls: CC4
Clearly define and assign information security roles and responsibilities: CC1/ CC5
Have strong access control procedures: CC6
Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments: CC6/ Confidentiality
Implement and manage a secure system development life cycle (SDLC) program: CC8
Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response: CC9/ Availability
Encrypt sensitive data, stored and in transit: CC6
Implement strong technical controls in accordance with best security practices: CC6/ CC7
Appropriately respond to any past cybersecurity incidents: CC7
By obtaining and reading these reports you can determine if and how well your service provider is adhering to the DOL best practices. SOC reports also provide valuable information on the controls the service organization uses to meet the criteria, the auditor’s tests of the criteria, and the results of the auditor’s tests.
HBK Risk Advisory Services can help you implement an effective third-party risk management program and process. We can help you prepare for an SOC audit, we can conduct the audit, and we can provide a timely report to meet the demands of your customers or regulators. For more information or to schedule a meeting, contact us at 724-934-5300; or by email at mschiavone@hbkcpa.com.
Speak to one of our professionals about your organizational needs
