The retirement industry historically dealt with only family fraud, but that started to change about four years ago, SPARK's Mr. Rouse said. Now, through an increasing number of outside security breaches, individuals have "acquired personally identifiable information about each of us, and (are) using it to then get into individuals' accounts and try to get money out of accounts," he said.
There has also been an increase in web-based retirement accounts, which can sometimes even be accessed via apps on smartphones, Mr. Gower said.
Ultimately, the law is lagging in terms of keeping up with changing technology, Ms. Buckmann said.
"ERISA was adopted in 1974, and nobody had computers or had to worry about this issue," she said. "So, there's nothing specific in ERISA about this."
Ms. Buckmann said while the Labor Department's guidance does offer some relief, the guidance is not binding, so "it doesn't have the same legal status as regulation."
"I think the law ought to require (plan sponsors), not just as a best practice, but as a legal matter, to make sure that … there are procedures in place (for) the record keeper to keep that data safe," she said, adding that she would prefer congressional action to binding guidance from the Labor Department.
The retirement industry is working to keep up with cyberthreats, but the threats change quickly, Mr. Rouse said.
"As the industry responds to the cybercriminals, cybercriminals are learning things, and adapting and trying new things," he said. "So, it's a constant battle."
Although things move quickly, the least a company can do is follow the cybersecurity practices it has already established, Ms. Scott said.
"I think that having robust procedures in place designed to protect plan participants and plan assets from cybersecurity breaches is really important, but then following their own procedures, and kind of being very alert to red flags and breakdowns in the system is critical," Ms. Scott said.