Retirement Plan Cybersecurity: Use SOC Reports to Demonstrate Best Practices

A follow-up to our three-part series on the U.S. Department of Labor’s “Cybersecurity Guidance for Plan Sponsors, Plan Fiduciaries, Record Keepers, Plan Participants.”

In April 2021, the Department of Labor’s (DOL) Employee Benefits Security Administrations (EBSA) announced cybersecurity guidance for retirement plans subject to the Employee Retirement Income Security Act (ERISA) of 1974 . In our three-part series, we covered each of the three forms of guidance for plan sponsors, plan fiduciaries, record keepers, and plan participants:

  1. Tips for hiring a service provider – To help plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices as required by ERISA

  2. Cybersecurity program best practices – To help plan fiduciaries and record-keepers in their responsibilities for managing cybersecurity risks

  3. Online security tips – To help participants and beneficiaries reduce the risk of fraud and loss when checking their retirement accounts online.

A key point expressed in the first two articles in the series was a recommendation that plan sponsors implement a third-party risk management program. To facilitate the process, we recommend you choose to work with a service provider that has a cybersecurity program and undergoes an annual independent program audit. Moreover, we recommend that you request and review the audit reports to ensure your service provider’s security mechanism is working effectively and meeting the demands of DOL’s cybersecurity best practices. And to accomplish all of the above, we recommend you use SOC reports.

SOC 2 reports

SOC 2 reports have established a framework for reporting on many of the best practices outlined in the DOL guidance. By understanding where to look in an SOC 2 report you can determine whether or not the service provider is meeting these demands. Note, however, that the reports are not a check-the-box exercise, and simply collecting them from your service providers offers little risk mitigation. For more information on SOC 2 reports, click here.

An SOC 2 report can include five Trust Service Criteria: Security, Availability, Confidentiality, Privacy, and Processing Integrity. The Security criterion is mandatory; the others are optional. The Security criterion is broken down into nine Common Criteria (CC):

  • CC1 – Control Environment
  • CC2 – Communication and Information
  • CC3 – Risk Assessment
  • CC4 – Monitoring Activities
  • CC5 – Control Activities
  • CC6 – Logical and Physical Access
  • CC7 – System Operations
  • CC8 – Change Management
  • CC9 – Risk Mitigation

The 12 best practices established by the DOL can be mapped to the Common Criteria and Trust Services Criteria contained in the SOC 2 report as follows:

  1. Have a formal, well-documented cybersecurity program: CC1/ CC2/ inherent throughout report

  2. Conduct prudent annual risk assessments: CC3

  3. Have a reliable annual third-party audit of security controls: CC4

  4. Clearly define and assign information security roles and responsibilities: CC1/ CC5

  5. Have strong access control procedures: CC6

  6. Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments: CC6/ Confidentiality

  7. Conduct periodic cybersecurity awareness training: CC2

  8. Implement and manage a secure system development life cycle (SDLC) program: CC8

  9. Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response: CC9/ Availability

  10. Encrypt sensitive data, stored and in transit: CC6

  11. Implement strong technical controls in accordance with best security practices: CC6/ CC7

  12. Appropriately respond to any past cybersecurity incidents: CC7

By obtaining and reading these reports you can determine if and how well your service provider is adhering to the DOL best practices. SOC reports also provide valuable information on the controls the service organization uses to meet the criteria, the auditor’s tests of the criteria, and the results of the auditor’s tests.

HBK Risk Advisory Services can help you implement an effective third-party risk management program and process. We can help you prepare for an SOC audit, we can conduct the audit, and we can provide a timely report to meet the demands of your customers or regulators. For more information or to schedule a meeting, contact us at 724-934-5300; or by email at

About the Author(s)
Matthew joined HBK in early 2017 after spending four years working for Kearney and Company in Washington, DC as a consultant to the Department of Defense (DoD). Matt has thirteen years of extensive internal control experience within information technology and the financial reporting processes. He leads HBK’s Risk Advisory Services where he assists clients with System and Organization (SOC) 1 and SOC 2 readiness assessment and examination. Additionally, he helps clients assess the design, implementation, and effectiveness of cybersecurity controls and their ability to achieve industry best practices and security frameworks such as ISO 27001. His client base includes Software-as-a-Service organizations, cybersecurity and incident response service organizations, and service organizations supporting the healthcare and financial services industries.
Hill, Barth & King LLC has prepared this material for informational purposes only. Any tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or under any state or local tax law or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein. Please do not hesitate to contact us if you have any questions regarding the matter.