SOC it to Me

Home > Fiduciary Insider > SOC it to Me

SOC it to Me

by | Fiduciary Insider, Retirement Plans | 0 comments

 

Article

Cybersecurity Best Practices

 
Since the U.S.government introduced regulatory-like cybersecurity guidelines in 2021, many organizations that sponsor retirement plans affected by those guidelines set out to test their conformance. Roland|Criss is a leader in employee benefit plan cybersecurity risk management and dozens of employers asked us to conduct risk assessments.
 
A significant part of our assessment addresses the policies and practices of service providers. There are 11 categories of vendors included in our assessment methodology. Those that garner our most intense attention process or retain personally identifiable information (“PII”) or personal health information (“PHI”) of the plan’s participants. Typically, they are recordkeepers, health plan providers, and payroll services.
 
The primary document those vendors rely on to demonstrate data security quality uses a program developed by the American Institute of Certified Public Accountants (“AICPA”) and is published by their CPAs following an audit called a Service Organization Controls or “SOC” report.
 
Which SOC Type is Best?
 
Three types of SOC audits make up the AICPA’s program. A CPA’s SOC 1 audit determines if a service provider has internal control over its financial reporting. Yet many recordkeeping firms and other vendors give us a SOC 1 report, inferring that it evidences independent confirmation of good data security practices, even though that audit type fails to opine on data security controls.
 
Regarding cybersecurity, SOC 2 has become the de facto standard. In a SOC 2 audit, the service provider describes the policies, procedures, and systems it has to protect information across five “Trust Services Criteria.” A SOC 2 Type 1 is different from a SOC 2 Type 2 in that Type 1 examines the design of security processes at a specific time. In contrast, a SOC 2 Type 2 report considers how adequate those controls are over time by observing operations for six months.
 
A SOC 3 has less detail and typically provides less value to report users.
 
If your service providers rely on the AICPA’s SOC audit program to prove their cyber quality, insist that they deliver a SOC 2 Type 2 report. Otherwise, your vendor evaluation efforts will be futile. You will fail to achieve the results that the Employee Benefits Security Administration, the government’s enforcement unit, expects to see when it audits your plan.

Ask Roland|Criss

Submit a Comment

Your email address will not be published. Required fields are marked *

Visit Us On TwitterVisit Us On Linkedin