The Government Accountability Office has recommended the Department of Labor make clear whether a fiduciary is responsible for mitigating cybersecurity risks in defined contribution plans and to establish minimum expectations for addressing cybersecurity risks in those plans.
The sharing and storing of participant's personally identifiable information, or PII, like names, Social Security numbers, dates of birth, addresses and usernames/passwords, can lead to significant cybersecurity risks for plan sponsors and their service providers, as well as plan participants, the GAO said in its report, which was published last month and made public Monday.
"A single cyberattack at any point in the complex web of entities working together to administer a retirement plan could cause enormous losses of both PII and plan assets, which could lead to identity theft or severe financial and other ramifications for plan participants," the GAO said. "Accordingly, it has become imperative that industry and government prevention and mitigation efforts evolve to keep pace with these threats."
Though federal requirements exist for entities that directly engage in financial activities involving DC plans, not all entities involved in DC plans are considered to have direct engagement, the GAO said. Moreover, other cybersecurity mitigation guidance is voluntary.
Although federal law requires plan fiduciaries to act prudently when administering plans, the Labor Department has not clarified fiduciary responsibility for mitigating cybersecurity risks, the GAO said.
Of the 22 stakeholders the GAO interviewed for its report, 21 said that cybersecurity is a fiduciary duty.
"DOL officials told GAO that the agency intends to issue guidance addressing cybersecurity-related issues, but they were unsure when it would be issued," the GAO said. "Until DOL clarifies responsibilities for fiduciaries and provides minimum cybersecurity expectations, participants' data and assets will remain at risk."
The GAO conducted its investigation in response to an inquiry from congressional Democrats — Sen. Patty Murray, D-Wash., chairwoman on the Health, Education, Labor and Pensions Committee, and Rep. Robert C. "Bobby" Scott, D-Va., chairman of the House Committee on Education and Labor — sent in 2019.
"It's clear that in too many ways, the policies we have to protect families as they plan for the future are stuck in the past," Ms. Murray said in a statement. "This report confirms cybersecurity and retirement security go hand in hand, and it's time we make sure we have policies that reflect that reality. I'll be working with my colleagues, and with the Biden administration to follow through on the findings in this report so we can make sure workers and retirees know their savings are in fact safe, and that a cyberattack will not throw their retirement into jeopardy."