Cybersecurity risk in 401k accounts is a growing problem, and now the Government Accountability Office (GAO) is telling the Department of Labor (DOL) to do something about it.
The GAO noted that in 2018, about 106 million people participated in employer-sponsored defined contribution retirement plans, such as 401ks, that contained about $6.3 trillion.
“A host of plan administrators share the personal information used to administer these plans via the internet, which can lead to significant cybersecurity risks,” the agency wrote in a new report. “In some cases, there is no federal guidance about how to mitigate these risks.”
The DOL hasn’t clarified whether plan administrators are responsible for mitigating cybersecurity risks and hasn’t set minimum expectations for protecting personal information, it added, and recommended “that the DOL do so.”
To that end, GAO called upon the DOL to 1) formally state whether it is a fiduciary’s responsibility to mitigate cybersecurity risks in DC plans and 2) to establish minimum expectations for addressing cybersecurity risks in DC plans.
“It’s clear that in too many ways, the policies we have to protect families as they plan for the future are stuck in the past,” Senator Patty Murray, D-Wash., Chair of the Senate Health, Education, Labor, and Pensions (HELP) Committee, said upon the report’s release. “This report confirms cybersecurity and retirement security go hand in hand, and it’s time we make sure we have policies that reflect that reality. I’ll be working with my colleagues, and with the Biden Administration to follow through on the findings in this report so we can make sure workers and retirees know their savings are in fact safe, and that a cyberattack will not throw their retirement into jeopardy.”
Yes to one recommendation, maybe to another
“DOL agreed with GAO’s second recommendation but did not state whether it agreed or disagreed with the first one,” the agency said. “Federal requirements and industry guidance exist that could mitigate cybersecurity risks in DC plans, such as requirements that pertain to entities that directly engage in financial activities involving DC plans.”
However, the GAO noted that “not all entities involved in DC plans are considered to have such direct engagement, and other cybersecurity mitigation guidance is voluntary. Federal law nevertheless requires plan fiduciaries to act prudently when administering plans.”
The DOL has not clarified fiduciary responsibility for mitigating cybersecurity risks, even though 21 of 22 stakeholders GAO interviewed expressed the view that cybersecurity is a fiduciary duty.
“Further, DOL has not established minimum expectations for protecting [personally identifiable information] and plan assets,” the GAO concluded. “DOL officials told GAO that the agency intends to issue guidance addressing cybersecurity-related issues, but they were unsure when it would be issued. Until DOL clarifies responsibilities for fiduciaries and provides minimum cybersecurity expectations, participants’ data and assets will remain at risk.”