It’s time to ask
Maintaining data security is a significant part of running any business. Breaches are inevitable — although not at every organization. Now is the time to ask your service providers about their data security.
Ask the right questions
Many retirement plan fiduciaries focus their oversight of retirement plan service providers on investment performance and competitiveness of fees. But it’s just as important to ask about data security. Don’t limit your inquiry to the vendor’s own databases — ask about the protection of data passed between the vendor and your plan and its participants.
Ask to review your contract’s security provisions together with your vendor. Also be sure to discuss whether the vendor has had any breaches of its systems. And inquire about any upgrades to the data system and whether these upgrades have been through data security testing.
Make an annual review
Because of the highly technical nature of data security procedures, sponsors and general consultants typically aren’t equipped to make a personal assessment of the procedures’ adequacy. The good news is that they don’t have to. The American Institute of Certified Public Accountants (AICPA) created an industry auditing standard known as Statement on Auditing Standards (SAS) No. 70 (Service Organizations) in 1992. This standard laid the foundation and provided guidance to auditors who issued audit reports on the controls over transaction processing by service organizations. Many in the accounting industry continue to use the phrase “SAS 70” generically to refer to this type of audit.
Auditors now refer to successor AICPA standards that provide standards and guidance for the following service control organization (SOC) reports: SOC 1/SSAE No. 16 (Reporting on Controls at a Service Organization) and SOC 2 (Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy).
According to the AICPA, undergoing such an audit requires an in-depth examination of the provider’s control objectives and control activities. This often includes controls over information technology and related processes.
Get the report
Plan sponsors can request a copy of a vendor’s SOC 1 or SOC 2 report. If the report indicates the service provider’s controls are inadequate, a vendor may not share the report with customers until it obtains a passing report in a subsequent audit. If a service provider cannot provide an audit report, find out why. It may be as simple as the service provider being small and not believing it can afford it. That may or may not be a red flag, depending on what other insights about the vendor have been gleaned through the regular due diligence process.
After you receive a vendor’s SOC 1 or SOC 2 report, keep copies on file. This can help establish that plan fiduciaries sought and received information confirming the quality of the service provider’s data security controls.
Now is the time
Even though it’s unlikely that plan participants would sustain a financial loss if the files of a plan’s service provider were hacked, the service disruption might be more than a minor inconvenience. Also, a data breach may result in a deterioration in service quality. Before you enter into any agreement with a vendor, be sure you have all the information.