Page 53 - OctDefComp
P. 53

Tips for hiring a service provider




          The following guidance from the DOL is intended to help plan sponsors and fiduciaries select a retirement plan service
          provider with strong cybersecurity practices. Each item from the DOL document, Tips for Hiring a Service Provider with
          Strong Cybersecurity Practices, is accompanied by a response detailing Empower’s protocols.


          1. What are Empower’s information security            Enterprise Risk Group, whose certification program
          standards, practices and policies, and                addresses all aspects of proactive cybersecurity
          audit results, and how do they compare to             measures and controls. Yearly results of these
          the industry standards adopted by other               evaluations have been excellent, and relevant findings are
          financial institutions?                               remediated immediately.

          Empower’s comprehensive information security program
          includes regular assessments of our controls and      2. How does Empower validate your practices,
          extensive security testing, both with the aim of reducing   and what levels of security standards have
          risk to our organization. Empower’s information security   you met and implemented? What audit
          policies are aligned with NIST 800-53, and third-party   results can we review to demonstrate
          auditors attest to the effectiveness of our policies and   compliance with the standard?
          controls via our SOC 2 type 2 reports. We continually   Within the secure plan sponsor website provided by
          validate the controls of our comprehensive security   Empower, we provide documentation that supports
          program with unannounced tests and assessments,       and informs the plan sponsor about Empower’s current
          including penetration testing from multiple sources and   security program and practices. These documents are
          internal and external security assessments. Our audit   referred to as the Security Assurance Package (SAP), which
          reports have unqualified opinions (clean reports) from our   currently consists of the following items which are updated
          independent auditors.                                 annually: Security Program Overview document, SOC 1
                                                                type 2 report, SOC 2 type 2 report, available IT certification
          Does Empower follow a recognized standard for         reports (e.g., Verizon CRP) and a completed SIG-Lite
          information security and use an outside (third-party)   (Standardized Information Gathering) questionnaire
          auditor to review and validate cybersecurity defense   with related supporting materials. The SIG-Lite is a
          in depth?                                             standardized document template created by the Shared
          Empower uses several third-party services to provide   Assessments Program, a consortium of leading financial
          independent evaluations of our network and systems    institutions, the Big 4 accounting firms and companies
          security controls to test our defense-in-depth strategy. A   from a wide array of industries. Empower’s Data Security
          sampling of these includes third-party external auditors   Addendum and Privacy Addendum are available
          performing annual attestations to produce AICPA SOC 1   upon request.
          type 2 and SOC 2 type 2 reports and Verizon Business














     12
                                 FOR FINANCIAL PROFESSIONAL AND PLAN SPONSOR USE ONLY.
   48   49   50   51   52   53   54   55   56   57   58