Lawmakers ask GAO to explore cybersecurity issues in defined contribution plans

The increase in retirement savings held in defined contribution plans, the ubiquity of online accounts and the large number of digital interactions between plans and service providers present "a tempting target" for criminals, two legislators wrote in a letter Tuesday to the Government Accountability Office.

Sen. Patty Murray, D-Wash., and Rep. Robert C. "Bobby" Scott, D-Va., sent the letter to Gene Dodaro, comptroller general of the GAO, requesting the office to examine cybersecurity in the private retirement system. Ms. Murray, is the ranking member on the Senate Health, Education, Labor and Pensions Committee and Mr. Scott is chairman of the House Committee on Education & Labor.

The "cybersecurity safeguards, risks and liabilities for plan sponsors and participants remain ill-defined, especially with regard to major data breaches or advanced persistent threats," the letter stated.

Current law, the letter continued, does not "address a number of questions related to cybersecurity, and plans fall within a patchwork of federal and state laws and regulations."

Among other questions, the legislators asked the GAO to address what plan sponsors and service providers are doing to protect plan data. Also, in the event of a data breach, what steps should sponsors be required to take to protect plan participants? The lawmakers also asked what the possible legislative or regulatory options are to protect data and account information.

With the patchwork of regulations in mind, the SPARK Institute, which formed the Data Security Oversight Board composed of industry stakeholders, published a set of cybersecurity best practice standards in 2017. The standards are intended to help establish guidelines to assist plan sponsors and service providers in properly assessing and comparing retirement plan vendors, he said. Plan sponsors, through their consultants, are using the standards to evaluate record keepers' data-protection capacities without record keepers having to disclose their methods.