Pico achieves SOC 2 Type 2 Compliance!INTERNAL USE ONLY

SOC 2 Type 2 Compliance FAQs for Sales

LINKEDIN MESSAGE (to be posted Tues., March 27th): Curious about Pico’s corporate controls, security, and/or processes? We recently became SOC 2 compliant and welcome the opportunity to share the results with you. Contact your Account Manager or sales@picotrading.com to learn more. #soc2audit #soc2

WEBSITE POST (to be posted to the NEWS SECTION Tues., March 27th): Headline: Pico is proud to announce that we have achieved SOC 2 Type 2 compliance!

Body: SOC 2 are attestation standards issued by the American Institute of Certified Public Accountants (AICPA) that addresses examination engagements for service providers. Pico completed two reviews – Market Data Services and Managed Services. The SOC 2 examination uses standardized, third-party criteria to validate Pico’s compliance outlined in the Trust Services Principles. Pico has developed internal control objectives to support only the highest levels of excellence in managed services and market data services for our clients.Contact us (sales@picotrading.com hyperlink) to hear more about our completed Market Data Services and Managed Services reviews.

- Confidential -

Internal FAQs

A few facts for you to be prepared for any possible client calls:

What is SOC 2? SOC 2 are attestation standards issued by the American Institute of Certified Public Accountants (AICPA) that addresses examination engagements for service providers. Pico completed two reviews – Market Data Services and Managed Services. The SOC 2 examination uses standardized, third-party criteria to validate Pico’s compliance outlined in the Trust Services Principles. Pico has developed internal control objectives (see examples below) to support only the highest levels of excellence in managed services and market data services. Example 1 of an “internal control”: a structured change control process that ensures changes are reviewed and approved to ensure the highest integrity.Example 2 of an “internal control”: Service Level Agreements, Uptimes, internal commitments to ourselves, our organization and to our customers.

What is the purpose of the report? To provide management of a service organization, user entities and other specified parties with information and a CPA’s opinion about controls at the service organization that may affect user entities’ security, availability, processing integrity, confidentiality or privacy.1

What are the components of the report? A description of the service organization’s system. A service auditor’s report that contains an opinion on the fairness of the presentation of the description of the service organization’s system, the suitability of the design of the controls, and in a type 2 report, the operating effectiveness of the controls. In a type 2 report, a description of the service auditor’s tests of controls and the results of the tests.2

Who are the intended users of the report? Parties that are knowledgeable about • the nature of the service provided by the service organization • how the service organization’s system interacts with user entities, subservice organizations, and other parties • internal control and its limitations • the criteria and how controls address those criteria3

Who will find this useful? 1 https://www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/comparision-soc-1-3.pdf2 https://www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/comparision-soc-1-3.pdf3 https://www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/comparision-soc-1-3.pdf

Anyone who is regulated. Specifically, those who look at risk. Third party providers are the biggest area of risk at an organization and being SOC 2 compliant provides assurance to our clients that we will provide what we say we will provide.

What does being SOC 2 compliant say about Pico? That we are a strong third party provider who take our client relationships seriously. Considering the age of our company, this is a great accomplishment. Out of the three levels of reports (1-3), 2 is the most stringent one as it not only validates that you have the policies and procedures, but it goes back and validates while also opining on them. We completed the certification within a year, even more of an indicator of Pico’s strength as a partner.

How do we keep the certification current? We will be recertified on an annual basis.

Let Kate Dockstader and Brian Klement know if you receive any inquiries, and of course if you have any questions.