When is the last time you contacted your service provider to get a better understanding of their data security? A significant part of running any business includes maintaining data security. Breaches are inevitable — although not at every organization. It is important to be diligent and take the time to ask your service providers about their data security.
Ask the Right Questions
While a common focus of many retirement plan fiduciaries is to focus on investment performance and competitiveness of fees, data security is not always given the attention it deserves. It is just as important to ask about data security as it is about investment performance. While inquiring about the vendors own databases is very important, do not limit your inquiry to just this topic; ask about the protection of data passed between the vendor and your plan and its participants.
It is also important to ask to review your contract’s security provisions together with your vendor. It is critical to discuss whether the vendor has had any breaches of its systems and also to inquire about any upgrades to the data system, and whether these upgrades have been through data security testing.
Make an Annual Review
Due to the highly technical nature of data security procedures, sponsors and general consultants typically are not equipped to make a personal assessment of the procedures’ adequacy. The good news is that they don’t have to.
In 1992, Statement on Auditing Standards (SAS) No. 70 (Service Organizations) was created by The American Institute of Certified Public Accountants (AICPA) as an industry auditing standard. This standard laid the foundation and provided guidance to auditors who issued audit reports on the controls over transaction processing by service organizations. This type of audit is generally referred to by using the phrase “SAS 70.”
Auditors now refer to successor AICPA standards that provide standards and guidance for the following service control organization (SOC) reports: SOC 1/SSAE No. 16 (Reporting on Controls at a Service Organization) and SOC 2 (Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy).
According to the AICPA, undergoing such an audit requires an in-depth examination of the provider’s control objectives and control activities. This often includes controls over information technology and related processes.
Get the Report
It is important that plan sponsors request a copy of a vendor’s SOC 1 or SOC 2 report and read it thoroughly. If the report indicates the service provider’s controls are inadequate, a vendor may not share the report with customers until it obtains a passing report in a subsequent audit. It could be a red flag if a service provider cannot provide an audit report, so make sure to inquire further and find out why. The answer may be as simple as the service provider being small and not believing it can afford it. That may or may not be a red flag, depending on what other insights about the vendor have been gleaned through the regular due diligence process.
After you receive a vendor’s SOC 1 or SOC 2 report, keep copies on file. This can help establish that plan fiduciaries sought and received information confirming the quality of the service provider’s data security controls.
Now is the Time
Although it is unlikely that plan participants would sustain a financial loss if the files of a plan’s service provider were hacked, the service disruption might be more than a minor inconvenience. Also, a data breach may result in a deterioration in service quality. Before you enter into any agreement with a vendor, be sure you have all the information.