DOL must address cybersecurity risk in DC plans: GAO
Is cybersecurity a fiduciary responsibility? Government watchdog asks DOL to clarify, and provide guidelines for mitigating risk.
Personal identifiable information (PII) associated with employee retirement plans is vulnerable to cybersecurity risk because of the sensitive nature of the data and the way it is transferred among a variety of players, including recordkeepers, third-party administrators, payroll providers and plan sponsors. That’s according to a new report from the U.S. Government Accountability Office.
The types of PII shared between parties include, but aren’t limited to, the following (see graphic below):
The GAO report was developed through interviews with custodians, payroll providers, plan sponsors, recordkeepers and third-party administrators as well as members of the ERISA Advisory Council, attorneys specialized in retirement, experts focused on threats to the financial sector, and retirement industry organizations.
The GAO reported its findings to Congress in February. In its report, GAO suggests that federal guidance on the topic of cybersecurity could help mitigate the risks to retirement savings plans.
Related: Infographic: What cyberattacks are being used against retirement plans?
According to the report, the Department of Labor has not clarified fiduciary responsibility for mitigating cybersecurity risks, nor has it established minimum expectations for protecting PII and plan assets.
Almost all of the stakeholders interviewed for the report, however, said they view cybersecurity as a fiduciary duty, and DOL reported to the GAO that it intends to issue guidance addressing cybersecurity-related issues, although it did not say when.
Related: Cybersecurity priorities for 2021
Until DOL clarifies responsibilities for fiduciaries and provides minimum cybersecurity expectations, participant data and assets will remain at risk, said the GAO. That risk is sizable. The most recent data provided by the DOL said as of 2018, 106 million people participated in private sector employer-sponsored defined contribution retirement plans with assets of nearly $6.3 trillion.
Retirement plan data is vulnerable to a variety of threats, including malware, ransomware, phishing, spoofing, business email compromise, social engineering, account takeover, data exfiltration, privilege abuse and reliance on third-party vendors, said the report. While criminal groups and hackers often use cyber attacks for monetary gain, some do it for a challenge or for revenge.
The report said while information on cyber attacks is not broken down by industry, a number of legal claims allege that unauthorized access to and distribution of retirement plan assets have occurred that have resulted in a loss in retirement plan assets.
In one example the GAO provided, a threat actor stole $245,000 using an unauthorized distribution of the participant’s retirement account after obtaining the last four digits of the participant’s social security number and date of birth.
Related: Nearly $100,000 stolen from participant in Estee Lauder 401(k) plan
GAO provided further examples of accounts being fraudulently accessed and retirement funds stolen by insiders and other bad actors. In some cases, assets were recovered or returned, but other cases are ongoing.
Standards and guidelines are in place to protect employees’ personal information held in retirement plans, such as the Gramm-Leach Bliley Act and the Federal Trade Commision Safeguard Rule, both of which apply to financial institutions. However, in the network within which employee benefits information travels, not all players are considered financial institutions, said the report.
Further complicating the situation is the fact that guidance and tools offered by the federal government and the financial and retirement industries to mitigate cybersecurity risks may be helpful for plan sponsors and service providers, but they are typically voluntary and therefore do not ensure a high level of diligence in mitigating cybersecurity risks.
Guidance has been offered by the Society of Professional Asset Managers and Record Keepers, the American Institute of Certified Public Accountants and the Financial Services Information Sharing and Analysis Center. In addition, cybersecurity insurance may help plan sponsors and service providers recover from a cyber attack; however the report noted such policies have limitations, including notably that they generally do not replace stolen funds.
GAO said DOL officials reported that in their view, the fiduciary obligations under ERISA apply to managing cybersecurity risks of both retirement plan assets and PII.
This includes overseeing any entity providing services to retirement plans and ensuring due diligence is performed on their cybersecurity measures or setting up agreements that place fiduciary liability onto the provider for certain functions.
DOL officials reported to GAO that they believe cybersecurity is a large problem for retirement plans and that the agency has begun an initiative to provide public-facing guidance to fiduciaries and service providers on securing their IT systems.
ERISA attorneys told GAO that a fiduciary’s failure to mitigate cybersecurity risk could lead to possible legal liability, particularly in the absence of guidance from DOL. The report indicates ERISA suggested DOL address privacy and security in plan administration in reports released in 2011 and 2016.
GAO concluded with two recommendations to DOL. First, it recommended the Secretary of Labor should formally state whether cybersecurity for private sector employer-sponsored DC retirement plans is a fiduciary responsibility under ERISA. Second, it said the Secretary of Labor should develop and issue guidance that identifies minimum expectations for mitigating cybersecurity risks that outline the specific requirements that should be taken by all entities involved in administering private sector employer-sponsored DC retirement plans.
Kristen Beckman is a freelance writer based in Colorado. She previously was a writer and editor for ALM’s Retirement Advisor magazine and LifeHealthPro online channel. She also was a reporter for Business Insurance magazine covering workers compensation topics.
READ MORE: