Retirement Plan Cybersecurity: Use SOC Reports to Demonstrate Best Practices

Date April 25, 2022
Article Authors
HBK CPAs & Consultants

A follow-up to our three-part series on the U.S. Department of Labor’s “Cybersecurity Guidance for Plan Sponsors, Plan Fiduciaries, Record Keepers, Plan Participants.”

In April 2021, the Department of Labor’s (DOL) Employee Benefits Security Administrations (EBSA) announced cybersecurity guidance for retirement plans subject to the Employee Retirement Income Security Act (ERISA) of 1974 . In our three-part series, we covered each of the three forms of guidance for plan sponsors, plan fiduciaries, record keepers, and plan participants:

  1. Tips for hiring a service provider – To help plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices as required by ERISA

  2. Cybersecurity program best practices – To help plan fiduciaries and record-keepers in their responsibilities for managing cybersecurity risks

  3. Online security tips – To help participants and beneficiaries reduce the risk of fraud and loss when checking their retirement accounts online.


A key point expressed in the first two articles in the series was a recommendation that plan sponsors implement a third-party risk management program. To facilitate the process, we recommend you choose to work with a service provider that has a cybersecurity program and undergoes an annual independent program audit. Moreover, we recommend that you request and review the audit reports to ensure your service provider’s security mechanism is working effectively and meeting the demands of DOL’s cybersecurity best practices. And to accomplish all of the above, we recommend you use SOC reports.

SOC 2 reports

SOC 2 reports have established a framework for reporting on many of the best practices outlined in the DOL guidance. By understanding where to look in an SOC 2 report you can determine whether or not the service provider is meeting these demands. Note, however, that the reports are not a check-the-box exercise, and simply collecting them from your service providers offers little risk mitigation. For more information on SOC 2 reports, click here.

An SOC 2 report can include five Trust Service Criteria: Security, Availability, Confidentiality, Privacy, and Processing Integrity. The Security criterion is mandatory; the others are optional. The Security criterion is broken down into nine Common Criteria (CC):

  • CC1 – Control Environment
  • CC2 – Communication and Information
  • CC3 – Risk Assessment
  • CC4 – Monitoring Activities
  • CC5 – Control Activities
  • CC6 – Logical and Physical Access
  • CC7 – System Operations
  • CC8 – Change Management
  • CC9 – Risk Mitigation

The 12 best practices established by the DOL can be mapped to the Common Criteria and Trust Services Criteria contained in the SOC 2 report as follows:

  1. Have a formal, well-documented cybersecurity program: CC1/ CC2/ inherent throughout report

  2. Conduct prudent annual risk assessments: CC3

  3. Have a reliable annual third-party audit of security controls: CC4

  4. Clearly define and assign information security roles and responsibilities: CC1/ CC5

  5. Have strong access control procedures: CC6

  6. Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments: CC6/ Confidentiality

  7. Conduct periodic cybersecurity awareness training: CC2

  8. Implement and manage a secure system development life cycle (SDLC) program: CC8

  9. Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response: CC9/ Availability

  10. Encrypt sensitive data, stored and in transit: CC6

  11. Implement strong technical controls in accordance with best security practices: CC6/ CC7

  12. Appropriately respond to any past cybersecurity incidents: CC7


By obtaining and reading these reports you can determine if and how well your service provider is adhering to the DOL best practices. SOC reports also provide valuable information on the controls the service organization uses to meet the criteria, the auditor’s tests of the criteria, and the results of the auditor’s tests.

HBK Risk Advisory Services can help you implement an effective third-party risk management program and process. We can help you prepare for an SOC audit, we can conduct the audit, and we can provide a timely report to meet the demands of your customers or regulators. For more information or to schedule a meeting, contact us at 724-934-5300; or by email at mschiavone@hbkcpa.com.

Speak to one of our professionals about your organizational needs

"*" indicates required fields



Does your Business Process Payment Cards?

Date October 9, 2018

If your business processes, stores, or houses credit, debit, or gift card data, then it likely must comply with the Payment Card Industry-Data Security Standard (PCI-DSS), which contains 12 requirements. They are listed here.

Often businesses incorrectly assume the PCI-DSS only pertains to the processing of payment cards via a computer but this is not the case. It is applicable in all types of commerce involving Card Holder Data (CHD).

To be clear, CHD includes the following information: the Primary Account Number, Card Holder Name, Expiration Date and Service Code.

While processing payment card transactions, if an employee writes down CHD on paper then transmits CHD via email, text message or voicemail, your business must properly secure your expanded CHD environment in order to comply with PCI-DSS.

If you have questions regarding your CHD Environment, HBK can perform a gap analysis to identify any shortfalls that your business may have relating to the PCI-DSS requirements.

HBK can assist you with cyber security topics or questions. Please contact Matt Schiavone at mschiavone@hbkcpa.com, Bill Heaven at wheaven@hbkcpa.com, or Steve Franckhauser at sfranckhauser@hbkcpa.com for assistance.

Speak to one of our professionals about your organizational needs

"*" indicates required fields