HUMAN RESOURCES DEPARTMENT
                                       Inter-Departmental Correspondence

               DATE:                 November 4, 2021

               TO:                   Deferred Compensation Advisory Committee

               FROM:                 Jay Castellano, Employee Benefits

               SUBJECT:              Cyber-Security Due Diligence Reports


               RECOMMENDATION:

               Accept Empower’s Service Organization Control (SOC2) reports that indicate Empower
               employs adequate controls to ensure our plan participants’ accounts’ online security,
               integrity, confidentiality and privacy.

               BACKGROUND:

               Management of the recordkeeper and oversight of their operations, including their
               information security, is one of the Deferred Compensation Advisory Committee’s many
               responsibilities. With regard to information security, the DCAC can assess our
               recordkeeper’s, Empower, operations through its independently-produced SOC2 audit
               report.

               As noted by Empower’s Trish McGinity in the DCAC’s October 27 retreat, the SOC2
               report is the most common report requested by plan sponsors. Other readily-available,
               independently-produced information security reports from Empower include the SOC1
               report and Empower’s Data Security and Privacy Addendums. During the next year and
               prior to the DCAC’s 2022 cyber-security review, staff will work with the County
               Information Systems Department and with our peer plans to develop a DCAC-specific
               cyber-security policy and recommend the specific documentation needed to support that
               policy.