Article Authors
A follow-up to our three-part series on the U.S. Department of Labor’s “Cybersecurity Guidance for Plan Sponsors, Plan Fiduciaries, Record Keepers, Plan Participants.”
In April 2021, the Department of Labor’s (DOL) Employee Benefits Security Administrations (EBSA) announced cybersecurity guidance for retirement plans subject to the Employee Retirement Income Security Act (ERISA) of 1974 . In our three-part series, we covered each of the three forms of guidance for plan sponsors, plan fiduciaries, record keepers, and plan participants:
- Tips for hiring a service provider – To help plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices as required by ERISA
- Cybersecurity program best practices – To help plan fiduciaries and record-keepers in their responsibilities for managing cybersecurity risks
- Online security tips – To help participants and beneficiaries reduce the risk of fraud and loss when checking their retirement accounts online.
SOC 2 reports
SOC 2 reports have established a framework for reporting on many of the best practices outlined in the DOL guidance. By understanding where to look in an SOC 2 report you can determine whether or not the service provider is meeting these demands. Note, however, that the reports are not a check-the-box exercise, and simply collecting them from your service providers offers little risk mitigation. For more information on SOC 2 reports, click here.
An SOC 2 report can include five Trust Service Criteria: Security, Availability, Confidentiality, Privacy, and Processing Integrity. The Security criterion is mandatory; the others are optional. The Security criterion is broken down into nine Common Criteria (CC):
- CC1 – Control Environment
- CC2 – Communication and Information
- CC3 – Risk Assessment
- CC4 – Monitoring Activities
- CC5 – Control Activities
- CC6 – Logical and Physical Access
- CC7 – System Operations
- CC8 – Change Management
- CC9 – Risk Mitigation
The 12 best practices established by the DOL can be mapped to the Common Criteria and Trust Services Criteria contained in the SOC 2 report as follows:
- Have a formal, well-documented cybersecurity program: CC1/ CC2/ inherent throughout report
- Conduct prudent annual risk assessments: CC3
- Have a reliable annual third-party audit of security controls: CC4
- Clearly define and assign information security roles and responsibilities: CC1/ CC5
- Have strong access control procedures: CC6
- Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments: CC6/ Confidentiality
- Conduct periodic cybersecurity awareness training: CC2
- Implement and manage a secure system development life cycle (SDLC) program: CC8
- Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response: CC9/ Availability
- Encrypt sensitive data, stored and in transit: CC6
- Implement strong technical controls in accordance with best security practices: CC6/ CC7
- Appropriately respond to any past cybersecurity incidents: CC7
HBK Risk Advisory Services can help you implement an effective third-party risk management program and process. We can help you prepare for an SOC audit, we can conduct the audit, and we can provide a timely report to meet the demands of your customers or regulators. For more information or to schedule a meeting, contact us at 724-934-5300; or by email at mschiavone@hbkcpa.com.
"*" indicates required fields