Nonprofit Blog

In recent months, the Department of Labor (DOL) has raised concerns about cybersecurity and employee benefit plans. Employee benefit plans may be vulnerable to cyber-attacks and thus exposed to risks relating to privacy, security, and fraud. Plan administrators, or those charged with governance, have an ERISA fiduciary duty with respect to the management of the plan, which encompasses the duty to care for personally identifiable information (PII) and protected health information (PHI).

This article focuses on how to address the carveouts of subservice organizations in a SOC 1 report (Service Organization Controls Report). SOC 1 reports cover key controls at the organizations that provide various services to the benefit plan (e.g., payroll providers, recordkeepers, custodians, etc.). These reports should be obtained and reviewed by the plan sponsor so they understand the systems in place at the service organization, including key controls that address financial statement assertions. The reports are also generally used by the auditor for performing the plan audit. We have found carve-outs of subservice organizations within the SOC 1 report (and how best to address them) to be a common hurdle in using the SOC 1 report effectively.

The Supreme Court repealed Section 3, a key portion of the Defense of Marriage Act (DOMA), on June 26, 2013. Section 3 prevented the federal government from recognizing marriages of same-sex couples. Section 3 was declared unconstitutional because it violates the Constitution’s equal protection promise. The following article from Swerdlin & Company addresses what this means for employee benefit plans.