Page 9 - NovDefComp
P. 9
HUMAN RESOURCES DEPARTMENT
Inter-Departmental Correspondence
DATE: November 4, 2021
TO: Deferred Compensation Advisory Committee
FROM: Jay Castellano, Employee Benefits
SUBJECT: Cyber-Security Due Diligence Reports
RECOMMENDATION:
Accept Empower’s Service Organization Control (SOC2) reports that indicate Empower
employs adequate controls to ensure our plan participants’ accounts’ online security,
integrity, confidentiality and privacy.
BACKGROUND:
Management of the recordkeeper and oversight of their operations, including their
information security, is one of the Deferred Compensation Advisory Committee’s many
responsibilities. With regard to information security, the DCAC can assess our
recordkeeper’s, Empower, operations through its independently-produced SOC2 audit
report.
As noted by Empower’s Trish McGinity in the DCAC’s October 27 retreat, the SOC2
report is the most common report requested by plan sponsors. Other readily-available,
independently-produced information security reports from Empower include the SOC1
report and Empower’s Data Security and Privacy Addendums. During the next year and
prior to the DCAC’s 2022 cyber-security review, staff will work with the County
Information Systems Department and with our peer plans to develop a DCAC-specific
cyber-security policy and recommend the specific documentation needed to support that
policy.