Due to the increased use of electronic means to process financial transactions and store confidential information, cyber security is a major area of concern for all organizations as it relates to their employee benefit plans (EBP). The DOL maintains that overall responsibility resides with the plan management to ensure security over employees’ confidential information and EBP transactions related data. Therefore it is very important that plan management take all the necessary steps needed for ensuring cybersecurity.
Recommendations to combat cybersecurity threats include reviewing SOC 1 reports of your third party administrators and service providers (TPA) with a specific focus on cyber security aspects as well as the controls around data security. However, if your TPA’s SOC 1 reports do not address data security related controls, it is recommended to request SOC 2 report from them, which focuses on non-financial reporting controls of a business as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. If such reports do not exist for the service organization, then plan management needs to follow various other DOL recommended steps to ensure data security.
SOC 1 Report – Your 1st Defense Against Cyber Attack!
A SOC 1 (SSAE 18) report (Service Organization Controls Report) provides information on controls at a service organization which are relevant to internal control over financial reporting.
The information contained in SOC 1 reports are critical to fulfilling plan management’s fiduciary duty to monitor the quality and effectiveness of the processes related to third party administrators. As such, the DOL emphasizes the importance of plan management to review SOC 1 on a regular basis. The following suggestions are a great start to proactively managing cyber security within your benefit plans.
#1 – Plan management should develop a policy and assign a specific person to review SOC 1 reports each reporting period. Keep in mind, training is available to help beginners better understand these reports and the meaning behind the information presented.
#2 – Any significant findings should be shared with those charged with the governance of the plan. In instances where exceptions are noted plan management will need to follow up with the respective vendor to discuss those exceptions and assess any potential impact on the plan operations.
Additionally, if your SOC 1 auditor issues a qualified opinion, it is critical to understand the basis for the qualification and then discuss in detail with the vendor to make sure that would not have any significant impact on the plan operations.
#3 – Evaluate your own internal controls to ensure they align with the complimentary user entity controls as listed in those SOC 1 reports.
User entities are organizations that utilize a service organization. When using a service organization, there are certain controls that remain the responsibility of a user entity and these are called complementary user entity controls. Service organizations assume, in the design of their services, those complementary controls will be implemented by the user entities.
Cybersecurity systems are constantly improving and evolving; however, so are cyberattacks. To that end, being proactive means staying on top of the latest trends in cybersecurity. If you want to read more on cybersecurity concerns, please check out our other blog post, Cybersecurity Concerns for Employee Benefit Plans.
As a Senior Manager on our ERISA Assurance and Compliance Services Team, Sharjeel has more than a decade of experience in accounting and financial audits for a variety of industries and employee benefit plans. He has planned and supervised numerous audits of defined contribution (401(a), 403(b), 401(k)) plans (including plans requiring Form 11-K filings), defined benefit (traditional pension and cash balance) plans, health and welfare plans, and master trust investment accounts. Sharjeel leads the Firm’s Form 5500 preparation practice and has assisted several clients with the DOL & IRS voluntary correction programs. Connect with Sharjeel on Twitter, LinkedIn, or email.