Close Close
ThinkAdvisor

Retirement Planning > Saving for Retirement > 401(k) Plans

401(k) Plans Have a Big Cybersecurity Problem, Need Guidance: GAO

X
Your article was successfully shared with the contacts you provided.

What You Need to Know

  • The government watchdog group says data sharing practices put plan participants at risk of cyber breaches.
  • It urged the Labor Department to set minimum guidelines for fiduciaries to protect millions of investors.
  • A failure to take action could lead to cyberattacks that erode confidence in the retirement system.

Not only do 401(k) investors have to worry about market risk, they also have to watch out for cyber criminals who could steal their retirement savings and identity, according to a Government Accountability Office report issued Monday that recommends that the Labor Department issue guidance on the problem.

The GAO report, released by Sen. Patty Murray, D-Wash.; Rep. Bobby Scott, D-Va.; and Sen. Maggie Hassan, D-N.H., reviewed cybersecurity threats posed to retirement plans. The agency conducted its review in response to a 2019 inquiry by the three lawmakers.

Murray is chair of the Senate Health, Education, Labor and Pensions Committee, and Scott chairs the House Education and Labor Committee.

“This report confirms cybersecurity and retirement security go hand in hand, and it’s time we make sure we have policies that reflect that reality,” Murray said in a release.

According to the GAO report, as of 2018, there were 106 million people in private retirement plans that had roughly $6.3 trillion in assets.

It noted that “a host of plan administrators share the personal information used to administer these plans via the internet, which can lead to significant cybersecurity risks. In some cases, there is no federal guidance about how to mitigate these risks.”

The GAO’s report urged the Labor Department to clarify whether fiduciaries are responsible for cybersecurity, and if so, issue guidance on minimum expectations for reducing cybersecurity risks, the release said.

Key Dangers

The report highlighted that personally identifiable information (PII) is shared throughout the chain of providers, starting at the plan sponsor and moving back and forth through third-party administrators, recordkeepers, custodians and payroll providers.

The GAO stated that one cyberattack “at any point in the complex web of entities working together to administer a retirement plan could cause enormous losses of both PII and plan assets, which could lead to identity theft or severe financial and other ramifications for plan participants.”

It added that to prevent this, both industry and government should evolve their methods to keep up with the increase in threats.

The GAO said that “plan fiduciaries and their service providers rely on a patchwork of federal regulations, guidance and industry leading practices to help them mitigate cybersecurity risk in DC plans.”

According to the GAO report, Labor Department officials told them that “the agency intends to issue guidance addressing cybersecurity-related issues, but they were unsure when it would be issued. Until DOL clarifies responsibilities for fiduciaries and provides minimum cybersecurity expectations, participants’ data and assets will remain at risk.”

In conclusion, the GAO stated that “until DOL formally clarifies plan fiduciaries’ responsibilities and provides minimum expectations related to cybersecurity, fiduciaries may not realize that they could be liable for losses they were obligated to prevent, such plans and their participants will continue to be vulnerable to financial losses and PII breaches.

“Such risks could lead to the erosion of confidence in our nation’s private pension system,” it said.