Federal watchdog warns of cybersecurity risks to employee retirement plans

Dive Brief:

The Government Accountability Office (GAO) said retirement plans such as 401(k)s face higher risk of cyberattack because the Labor Department has not clarified the cybersecurity responsibilities of employers and other fiduciaries, or provided guidance for safeguarding employees' savings and personal data.
In the absence of Labor Department guidance, companies and other retirement plan administrators might not understand their duties in cybersecurity and plan participants cannot be assured their assets and personal information are safe, according to the GAO, Congress's watchdog agency.
"Without formal clarification from DOL [Department of Labor], fiduciaries could face legal challenges if they fail to meet their responsibilities to protect retirement benefits, plan assets and participant PII [personally identifiable information]," the GAO said.

Dive Insight:

The global cost of cybercrime this year will exceed $6 trillion, more than double the $3 trillion in damage in 2015, according to an estimate by Cybersecurity Ventures. In 2019, the Federal Bureau of Investigation received nearly 500,000 complaints of suspected cyber crimes, with reported losses exceeding $3.5 billion, it said.

Labor Department officials acknowledged "cybersecurity was a serious problem for retirement plans," the GAO said, adding that the officials see "a risk that some fiduciaries may not be able to cover losses because of the large amount of money potentially at risk in retirement accounts."

Defined contributions retirement plans held nearly $6.3 trillion in assets for 106 million enrolled participants in 2018, the GAO said, quoting what it said is the most up-to-date Labor Department data. "In many cases these funds are a participants' only savings."

A "potential lack of adequate and consistent protection could result in substantial harm to participants and beneficiaries including loss or theft of money, identity theft or litigation of plan fiduciaries and their administrators," the GAO said.

Cybercriminals often pilfer participants' personal information kept by employers and service providers, including Social Security numbers, addresses and birth dates.

Retirement plan fiduciaries and service providers rely on a patchwork of federal regulations, guidance and standard industry practices to curb cybersecurity risks, the GAO said.

"Until DOL formally clarifies plan fiduciaries' responsibilities and provides minimum expectations related to cybersecurity, fiduciaries may not realize that they could be liable for losses they were obligated to prevent, and plans and their participants will continue to be vulnerable to financial losses and PII breaches," the GAO said.

DOL officials said they plan to publicly release guidance addressing several cybersecurity-related issues yet "could not describe the specific contents of the guidance nor were they certain when it will be issued," according to the GAO.

Spokespersons for the Labor Department's Employee Benefits Security Administration did not reply to phone or email requests for comment.

"It's clear that in too many ways, the policies we have to protect families as they plan for the future are stuck in the past," Sen. Patty Murray, D.-Wash., said in a statement. "This report confirms cybersecurity and retirement security go hand in hand, and it's time we make sure we have policies that reflect that reality."