3. A reliable annual third-party audit of             SOC 2 type 2 reports provide:
          security controls
                                                                •  Evidence of adherence to security controls.
          Empower maintains annual third-party audits of our
          security controls including SOC 1 type 2 and SOC 2 type 2   •  Transparency of the scope of testing.
          audit reports.                                        •  Auditor testing conclusions with quantities and details of
                                                                  issues noted.
          Empower’s external third-party auditors perform annual
          attestations of adherence to our security controls, to   •  Management remediation plans if issues are noted.
          produce SOC 2 type 2 annual reports, the industry’s most   •  A modern U.S. standard.
          frequently requested proof of compliance and security
          program thoroughness by prospective and existing clients.

          Our annual SOC 2 type 2 reports are specific to IT and
          security controls of our recordkeeping system that
          include a wide spectrum of information security and
          business resiliency. The annual audit provides assurance
          that Empower’s service commitments and system
          requirements are achieved based on the trust services
          criteria relevant to set forth in TSP section 100, 2017
          Trust Services Criteria for Security, Availability, Processing,
          Integrity, Confidentiality, and Privacy (AICPA, Trust Services
          Criteria). Since each organization can define what is in
          scope for their controls, it is important to verify the SOC
          2 report specifically includes the recordkeeping system
          in scope, as Empower has done with our SOC 2 type
          2 report. Unlike a one-page point in time ISO 27001
          certification, 100+ page in-depth SOC 2 type 2 reports test
          and transparently convey both the design effectiveness
          and the operating effectiveness of our security and
          regulatory compliance control objectives. For ease of   We also contract with independent security firms to
          comparison across providers, ask for a SOC 2 type 2   perform annual penetration tests and assessments
          report that is mapped to the SPARK Institute’s 16 control   of our key applications, plus an external network-layer
          objectives. The SPARK Institute is a member-driven, non-  assessment of our entire internet-facing infrastructure.
          profit organization and leading voice in Washington D.C. for   These assessments and penetration tests seek
          the retirement plan industry. SPARK helps shape national   vulnerabilities a cybercriminal would try to use to breach
          retirement policy by developing and advancing positions   our security controls, such as SQL injection, cross-site
          on critical issues that affect plan sponsors, participants,   scripting and other common attacks. Yearly results of
          service providers, and investment providers. SPARK’s 16   these evaluations have been excellent, and relevant
          control objectives were derived from a list of over 1,300   findings are remediated immediately.
          questions submitted to member firms and then organized
          into overall control topics which align closely with these
          DOL best practices.




      4
                                 FOR FINANCIAL PROFESSIONAL AND PLAN SPONSOR USE ONLY.