PLANSPONSOR - May - June 2023 - 38

FIDUCIARY FORUM
Time for the SOCs
Systems and organization control reports can confirm cybersecurity
C
ybersecurity continues to be a hot topic in the retirement
plan world and will remain one as long as we have
cybercriminals. In fact, plan fiduciaries should not be
expecting this to change anytime soon and should consider taking
steps to confirm procedures are in place to keep participant
data secure and confidential.
In response to retirement plan losses through cybertheft,
we have seen multiple lawsuits filed against plan sponsors and
their recordkeepers over the past few years. These lawsuits allege
that the losses were caused by failure to ensure cybersecurity
protections of participant accounts. Further, the Department of
Labor is focused on cybersecurity in the retirement plan world.
As we previously reported (see " The Cybersecurity Challenge, "
PLANSPONSOR, December 2021/January 2022), the DOL has
issued guidance identifying " best practices " to mitigate cybersecurity
risks in the administration of plans covered by the
Employee Retirement Income Security Act, along with advice on
hiring retirement plan service providers and online security tips
for retirement plan participants.
In connection with the agency's cybersecurity concerns
and guidance, we are seeing DOL investigators add cybersecurity
questions and requests to ongoing retirement plan investigations.
Specifically, these new questions focus on the steps that
plan sponsors should take in meeting their fiduciary responsibility
when it comes to protecting participant data.
The DOL is not just requesting information about the plan
sponsor's cybersecurity programs and policies but also those
of the plan's service providers. We have seen DOL investigators
asking 40-plus cybersecurity questions, as well as making
requests for numerous related documents.
Some of the materials they ask for include the following: all
documents constituting or reflecting the plan's cybersecurity
program and all concerning the components of that program; a
schedule of systems critical to the maintenance and protection
of plan participant data and assets; and service provider reports
of third-party audits of information systems, such as SOC 1 or
SOC 2 reports.
This last request is something that may be novel to plan fiduciaries
but is likely readily available and the easiest with which to
comply. Rather than waiting for a DOL request as part of a cybersecurity
review, plan fiduciaries may request and review service
provider SOCs 1 and 2.
38 PLANSPONSOR.COM May - June 2023 Art by Joseph Ciardiello
So what is SOC? SOC [Systems and Organization Controls]
references an audit on certain service provider systems and organization
controls. The American Institute of Certified Public
Accountants oversees the SOC framework and sets the auditing
standards required. There are different kinds of SOC audits, but
the most common conducted by service providers in the retirement
plan industry are SOC 1 and SOC 2.
SOC 1 is an audit on the controls at a service organization,
which is relevant to internal controls over financial reporting.
SOC 2 audits are broader and contain more detailed information
and assurance about the controls at a service organization
relevant to security, availability and processing integrity of the
systems the service organization uses to process users' data, as
well as the confidentiality and privacy of the information these
systems process.
The SOC 2 audit is the most useful report for plan sponsors,
as it will generally address cybersecurity and privacy controls
and processes that the service provider has adopted. In our experience,
most, if not all, service providers have obtained a SOC 2
audit and have such reports readily available.
While there is no specific requirement under ERISA to
review SOC reports-or cybersecurity, for that matter-the
DOL's requests for this information during investigations
suggest the department considers review of such information to
be part of a plan fiduciary's duty.
Further, as evidenced by investigation requests, the DOL
appears to expect that plan sponsors have requested and received
these reports. If a plan fiduciary has renegotiated the plan's
service agreement in the past few years, it may have acknowledged
receipt of the SOC 1 and/or SOC 2 report. As plan fiduciaries
work to understand the cybersecurity protection policies
and programs of their service providers, the SOC 2 report may
be the first step to gathering that information. Requesting and
reviewing these reports can help demonstrate that the plan fiduciaries
are taking steps to protect participant data and meet their
fiduciary responsibilities.
Summer Conley is a partner in the Los Angeles office of
Faegre Drinker Biddle & Reath LLP. Michael Rosenbaum is
a partner in the firm's Chicago office. Heather Bader, also
a partner in Los Angeles, contributed to this column.
http://www.PLANSPONSOR.COM
PLANSPONSOR - May - June 2023

Table of Contents for the Digital Edition of PLANSPONSOR - May - June 2023
