Congress is taking an interest in cybersecurity specifically as it relates to retirement plans, providers, sponsors and participants.
Senator Patty Murray, D-Wash., and Congressman Bobby Scott, D-Va., asked 10 important questions (more actually, since each have multiple parts) of the Government Accountability Office last week, seeking answers about protections in place, and what more should be done moving forward.
“Under current law, retirement plan fiduciaries are responsible for designing and administering plans in the best interest of plan participants,” the politicians wrote. “Current law, however, does not address a number of questions related to cybersecurity, and retirement plans fall within a patchwork of federal and state laws and regulations.”
Given the risk of cyberattacks targeting plan data and retirement savings, they add “and the importance of deterring such attacks (both to protect savings and encourage ongoing participation in workplace retirement savings plans),” they would like GAO to address the following questions:
No. 1
What potential threats to cyberattacks pose to U.S. retirement plan data and ultimately to plan participants’ financial well-being?
No. 2
Given these threats, what our plan sponsors doing to ensure that, as planned fiduciaries, they are taking steps to protect plan data and plan participants? To what extent have plan sponsors and recordkeepers thoroughly assessed security and privacy risks and adopted appropriate measures to ensure that plan data, participants’ personal information, and participants retirement savings are adequately safeguarded?
No. 3
What are plan service providers doing to ensure they are taking the necessary steps to protect plan data and plan participants from these threats? When a data breach does occur, what are the circumstances and the processes under which plan service providers disclose a breach to a plan sponsor?
No. 4
To what extent to federal laws and regulations require plan sponsors, recordkeepers, and other retirement plan service providers to protect plan data and plan participants from these risks?
No. 5
In the event of a data breach, what steps should plan sponsors be required to take to protect plan participants?
No. 6
Do current ERISA bonding requirements sufficiently insure against these risks? Would requiring cybersecurity insurance in addition to existing ERISA bonding requirements mitigate some of these risks? If so, are these policies widely available? Are they cost prohibitive? If Congress were to contemplate such a requirement, what would a proper board amount be, and which parties should be required to be bonded?
No. 7
To the extent that cybersecurity insurance is not sufficiently available on the commercial market, should Congress consider establishing a federal cybersecurity insurer?
No. 8
To what extent do the National Cyber Strategy and relevant federal agencies’ policies prioritize working with the private sector to deter a potential cyberattacks involving participants retirement savings?
No. 9
What are retirement plan sponsors, industry stakeholders, and government regulators in other countries doing to prevent cyberattacks involving retirement savings, and what lessons, if any, should the U.S. take from them?
No. 10
What are possible legislative or regulatory options to bolster the protection of both the data and accounts of retirement savers?
With more than 20 years serving financial markets, John Sullivan is the former editor-in-chief of Investment Advisor magazine and retirement editor of ThinkAdvisor.com. Sullivan is also the former editor of Boomer Market Advisor and Bank Advisor magazines, and has a background in the insurance and investment industries in addition to his journalism roots.