Warning: "continue" targeting switch is equivalent to "break". Did you mean to use "continue 2"? in /home1/rcfs/public_html/wp-content/plugins/revslider/includes/operations.class.php on line 2858

Warning: "continue" targeting switch is equivalent to "break". Did you mean to use "continue 2"? in /home1/rcfs/public_html/wp-content/plugins/revslider/includes/operations.class.php on line 2862

Warning: "continue" targeting switch is equivalent to "break". Did you mean to use "continue 2"? in /home1/rcfs/public_html/wp-content/plugins/revslider/includes/output.class.php on line 3708

Warning: Cannot modify header information - headers already sent by (output started at /home1/rcfs/public_html/wp-content/plugins/revslider/includes/operations.class.php:2858) in /home1/rcfs/public_html/wp-includes/rest-api/class-wp-rest-server.php on line 1893

Warning: Cannot modify header information - headers already sent by (output started at /home1/rcfs/public_html/wp-content/plugins/revslider/includes/operations.class.php:2858) in /home1/rcfs/public_html/wp-includes/rest-api/class-wp-rest-server.php on line 1893

Warning: Cannot modify header information - headers already sent by (output started at /home1/rcfs/public_html/wp-content/plugins/revslider/includes/operations.class.php:2858) in /home1/rcfs/public_html/wp-includes/rest-api/class-wp-rest-server.php on line 1893

Warning: Cannot modify header information - headers already sent by (output started at /home1/rcfs/public_html/wp-content/plugins/revslider/includes/operations.class.php:2858) in /home1/rcfs/public_html/wp-includes/rest-api/class-wp-rest-server.php on line 1893

Warning: Cannot modify header information - headers already sent by (output started at /home1/rcfs/public_html/wp-content/plugins/revslider/includes/operations.class.php:2858) in /home1/rcfs/public_html/wp-includes/rest-api/class-wp-rest-server.php on line 1893

Warning: Cannot modify header information - headers already sent by (output started at /home1/rcfs/public_html/wp-content/plugins/revslider/includes/operations.class.php:2858) in /home1/rcfs/public_html/wp-includes/rest-api/class-wp-rest-server.php on line 1893

Warning: Cannot modify header information - headers already sent by (output started at /home1/rcfs/public_html/wp-content/plugins/revslider/includes/operations.class.php:2858) in /home1/rcfs/public_html/wp-includes/rest-api/class-wp-rest-server.php on line 1893

Warning: Cannot modify header information - headers already sent by (output started at /home1/rcfs/public_html/wp-content/plugins/revslider/includes/operations.class.php:2858) in /home1/rcfs/public_html/wp-includes/rest-api/class-wp-rest-server.php on line 1893
{"id":35575,"date":"2022-10-26T16:11:35","date_gmt":"2022-10-26T16:11:35","guid":{"rendered":"https:\/\/rolandcriss.com\/?p=35575"},"modified":"2022-10-31T14:39:10","modified_gmt":"2022-10-31T14:39:10","slug":"soc-it-to-me","status":"publish","type":"post","link":"https:\/\/rolandcriss.com\/soc-it-to-me\/","title":{"rendered":"SOC it to Me"},"content":{"rendered":"

[et_pb_section fb_built=”1″ _builder_version=”4.0.6″ max_width=”100%”][et_pb_row _builder_version=”4.0.6″ background_size=”initial” background_position=”top_left” background_repeat=”repeat”][et_pb_column type=”4_4″ _builder_version=”3.25″ custom_padding=”|||” custom_padding__hover=”|||”][et_pb_text admin_label=”Article” _builder_version=”4.0.6″ background_size=”initial” background_position=”top_left” background_repeat=”repeat” hover_enabled=”0″] <\/p>\n

Article<\/h6>\n

Cybersecurity Best Practices<\/h2>\n

 
\n\"\"Since the U.S.government introduced regulatory-like cybersecurity guidelines in 2021, many organizations that sponsor retirement plans affected by those guidelines set out to test their conformance. Roland|Criss is a leader in employee benefit plan cybersecurity risk management and dozens of employers asked us to conduct risk assessments.<\/strong>
\n\u00a0<\/strong>
\nA significant part of our assessment addresses the policies and practices of service providers. There are 11 categories of vendors included in our assessment methodology. Those that garner our most intense attention process or retain personally identifiable information (“PII”) or personal health information (“PHI”) of the plan’s participants. Typically, they are recordkeepers, health plan providers, and payroll services.<\/strong>
\n\u00a0<\/strong>
\nThe primary document those vendors rely on to demonstrate data security quality uses a program developed by the American Institute of Certified Public Accountants (“AICPA”) and is published by their CPAs following an audit called a Service Organization Controls or “SOC” report.<\/strong>
\n\u00a0<\/strong>
\nWhich SOC Type is Best?<\/b><\/b>
\n 
\nThree types of SOC audits make up the AICPA’s program. A CPA’s SOC 1 audit determines if a service provider has internal control over its financial reporting. Yet many recordkeeping firms and other vendors give us a SOC 1 report, inferring that it evidences independent confirmation of good data security practices, even though that audit type fails to opine on data security controls.<\/strong>
\n\u00a0<\/strong>
\nRegarding cybersecurity, SOC 2 has become the de facto standard. In a SOC 2 audit, the service provider describes the policies, procedures, and systems it has to protect information across five “Trust Services Criteria.” A SOC 2 Type 1 is different from a SOC 2 Type 2 in that Type 1 examines the design of security processes at a specific time. In contrast, a SOC 2 Type 2 report considers how adequate those controls are over time by observing operations for six months.<\/strong>
\n\u00a0<\/strong>
\nA SOC 3 has less detail and typically provides less value to report users.<\/strong>
\n\u00a0<\/strong>
\nIf your service providers rely on the AICPA’s SOC audit program to prove their cyber quality, insist that they deliver a SOC 2 Type 2 report<\/b><\/b>. Otherwise, your vendor evaluation efforts will be futile. You will fail to achieve the results that the Employee Benefits Security Administration, the government’s enforcement unit, expects to see when it audits your plan.<\/strong>[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.0.6″][et_pb_column type=”4_4″ _builder_version=”4.0.6″][et_pb_button button_url=”https:\/\/rolandcriss.com\/contact-us\/” button_text=”Ask Roland|Criss” admin_label=”Button – Ask Us” _builder_version=”4.0.6″ custom_button=”on” button_text_color=”#ffffff” button_bg_color=”#0c71c3″][\/et_pb_button][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"

The type of audit an employee benefit plan vendor provides to a plan sponsor client to prove its data security quality matters greatly.<\/strong>\t\t<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_et_pb_use_builder":"on","_et_pb_old_content":"

Practical Tip<\/h6>\r\nTo meet emerging cybersecurity standards as plan sponsors, employers need to understand some basic rules, specifically the Employee Retirement Income Security Act (\"ERISA\").<\/strong>\r\n\r\nThe U.S. Department of Labor (\"DOL\") is developing cybersecurity objectives for plan fiduciaries that form the basis for its plan audits. It's likely that the DOL's guidelines will add to the foundation on which data security related class action lawsuits are litigated.<\/strong>\r\n\r\n\"\"\r\nCybersecurity for benefit plans often falls outside the scope\r\nof cybersecurity planning for enterprisess at large.<\/strong><\/em>\r\n\u00a0\r\n\u00a0\r\nBenefit plans often maintain and share sensitive employee data and asset information across multiple unrelated entities as a part of the benefit plan administration process. This data and asset information should be specifically considered when implementing cybersecurity risk management measures.<\/strong>\r\n\r\nBecause benefit plans are regulated by ERISA, anyone who interacts with the plan should be particularly aware of the impact that breaches have on participants and beneficiaries and the associated rights and duties of plan fiduciaries arising under ERISA.<\/strong>\r\n\r\nEveryone who comes in contact with personally identifiable information (\u201cPII\u201d) has a role to play in protecting plan data.<\/strong>\r\n\r\nHere's where to start...<\/strong>\r\n\u00a0\r\n
\r\n

Adopt a Cybersecurity Policy<\/h2>\r\nRegardless of a plan's size or complexity, the need for a cybersecurity policy statement<\/em> (\"CPS\") has escalated to the same level of importance as an investment policy statement. If your plan currently lacks a CPS, don't delay in adding one to the policies on which you rely to demonstrate that your plan is being managed prudently.<\/strong>\r\n

Conduct a Cybersecurity Risk Assessment<\/h2>\r\nInitiate an examination of your plan's current cybersecurity sensitivities, resourced either internally or by a qualified third-party expert. A legally defensible risk assessment will adhere to 18 discovery tasks. Scored on a scale of 1 to 100, an assessment offers a way to ensure continued improvement. Ask Roland|Criss for a list<\/em><\/a>.<\/strong>\r\n\r\n

Elevate Cybersecurity to a High Monitoring Priority<\/h2>\r\nThe agendas of benefit plan related committees should include a permanent entry for monitoring a security management plan<\/em>. Best practices for ERISA governance, risk management, and compliance (\"GRC\") systems now require evidence of robust monitoring. Using a technology application tailored for that purpose is a must. Ask us about FiduciaryGRC<\/a>\u2122<\/sup>, a state of the art cybersecurity solution that covers the entire risk spectrum; assessment, technology, and monitoring.<\/strong>\r\n\r\nFiduciaryGRC\u2122<\/sup> is a trademark of Roland|Criss.<\/span>","_et_gb_content_width":"","om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"sync_status":"","episode_type":"","audio_file":"","castos_file_data":"","podmotor_file_id":"","cover_image":"","cover_image_id":"","duration":"","filesize":"","filesize_raw":"","date_recorded":"","explicit":"","block":"","footnotes":""},"categories":[36,7],"tags":[],"class_list":["post-35575","post","type-post","status-publish","format-standard","hentry","category-fiduciary-insider","category-retirement-plans"],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/rolandcriss.com\/wp-json\/wp\/v2\/posts\/35575","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rolandcriss.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rolandcriss.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rolandcriss.com\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/rolandcriss.com\/wp-json\/wp\/v2\/comments?post=35575"}],"version-history":[{"count":18,"href":"https:\/\/rolandcriss.com\/wp-json\/wp\/v2\/posts\/35575\/revisions"}],"predecessor-version":[{"id":35696,"href":"https:\/\/rolandcriss.com\/wp-json\/wp\/v2\/posts\/35575\/revisions\/35696"}],"wp:attachment":[{"href":"https:\/\/rolandcriss.com\/wp-json\/wp\/v2\/media?parent=35575"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rolandcriss.com\/wp-json\/wp\/v2\/categories?post=35575"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rolandcriss.com\/wp-json\/wp\/v2\/tags?post=35575"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}