Pension & Benefits News DOL should clarify that cybersecurity is fiduciary responsibility for employer-sponsored retirement plans, says GAO
News
Wednesday, April 14, 2021

DOL should clarify that cybersecurity is fiduciary responsibility for employer-sponsored retirement plans, says GAO

By Pension and Benefits Editorial Staff

On March 15, 2021, the Government Accountability Office (GAO) released a report finding that the Department of Labor (DOL) has neglected to clarify fiduciary responsibility for mitigating cybersecurity risks related to the administration of private-sector employer-sponsored defined contribution (DC) retirement plans, such as 401(k) plans. This is true even though 21 of 22 stakeholders that the GAO interviewed saw cybersecurity as a fiduciary duty. Nor has the DOL established minimum expectations for protecting personally identifiable information (PII) and plan assets. Until the DOL clarifies responsibilities for fiduciaries and provides minimum cybersecurity expectations, participants’ data and assets will remain at risk, according to the report.

PII sharing presents cybersecurity risks. In their role administering private-sector employer-sponsored DC retirement plans, such as 401(k) plans, plan sponsors and their service providers, such as recordkeepers, third-party administrators, custodians, and payroll providers, share a variety of PII and plan asset data among them in order to carry out their respective functions. The PII exchanged typically include participant name, Social Security number, date of birth, address, username/password; plan asset data includes numbers for both retirement and bank accounts. The sharing and storing of this information can lead to significant cybersecurity risks for plan sponsors and their service providers, as well as for plan participants, the GAO pointed out.

Clarifying requirements. Federal requirements and industry guidance exist that could mitigate cybersecurity risks in DC plans, such as requirements for entities that directly engage in financial activities involving DC plans. But not all entities involved in DC plans are considered to have such direct engagement, and other cybersecurity mitigation guidance is voluntary.

While federal law requires plan fiduciaries to act prudently when administering plans, the DOL has not clarified fiduciary responsibility for mitigating cybersecurity risks. Moreover, the DOL has not established minimum expectations for protecting PII and plan assets. Although DOL officials told the GAO that the Department intends to issue guidance addressing cybersecurity-related issues, they were not sure when it would be issued.

Impetus for the study. The GAO noted that cyberattacks against information systems (IT) are perpetuated by individuals or groups with malicious intentions, from stealing identities to appropriating money from accounts. DC plans, which allow individuals to accumulate tax-advantaged retirement savings, increasingly rely on the internet and IT systems for their administration. In addition, plan sponsors may outsource the administration of retirement plans, including recordkeeping and other services, to third-party service providers, thus increasing the potential opportunities for malicious individuals to gain unauthorized access to accounts, participant (PII), and plan asset data. As a result, the need to secure these systems has become “paramount,” the GAO said. Ineffective data security controls can pose significant risks to plan data and assets. In 2018, 106 million people were participating in private-sector employer-sponsored DC retirement plans with assets of nearly $6.3 trillion, according to the DOL.

The GAO interviewed key entities involved with DC plans, such as sponsors and recordkeepers, DOL officials, and industry stakeholders; and reviewed relevant federal laws, regulations, and guidance.

Recommendations. The GAO made these recommendations:

  • The Secretary of Labor should formally state whether cybersecurity for private-sector employer-sponsored DC retirement plans is a plan fiduciary responsibility under ERISA.
  • The Secretary of Labor should develop and issue guidance that identifies minimum expectations for mitigating cybersecurity risks that outline the specific requirements that should be taken by all entities involved in administering private-sector employer-sponsored DC retirement plans.

The DOL agreed with GAO’s second recommendation but did not state whether it agreed or disagreed with the first one.

Lawmakers intend to follow up. Lawmakers who requested the GAO study reacted to the report. “The hard-earned retirement savings of Americans must remain safe and protected against potential cyberattacks,” said House Education and Labor Committee Chairman Bobby Scott (D-VA). “That’s why Senator Murray, Senator Hassan, and I asked GAO to conduct this critical review. GAO’s highly anticipated report provides useful information on the threats and vulnerabilities confronting retirement savings plans and includes recommendations to the Labor Department for action.”

“It’s clear that in too many ways, the policies we have to protect families as they plan for the future are stuck in the past,” according to Senate Health, Education, and Pensions Committee Chairwoman Patty Murray (D-WA). “This report confirms cybersecurity and retirement security go hand in hand, and it’s time we make sure we have policies that reflect that reality.”

Both lawmakers said they look forward to working with colleagues and the Biden Administration to follow up on the report’s findings and recommendation.

Source: GAO Report to Congressional Requestors, “DEFINED CONTRIBUTION PLANS, Federal Guidance Could Help Mitigate Cybersecurity Risks in 401(K) And Other Retirement Plans,” GAO-21-25

Back to Top

Interested in submitting an article?

Submit your information to us today!

Learn More