The U.S. Government Accountability Office (GAO) has released a report examining cybersecurity administration in private sector defined contribution (DC) retirement plans and exploring how federal guidance can mitigate cybersecurity risks.

The GAO report starts by reiterating that DC plans, plan sponsors and their service providers—including recordkeepers, third-party administrators (TPAs), custodians and payroll providers—share personally identifiable information (PII) and plan asset data, and therefore increase their risks of cyberhacks.

The PII contains highly confidential plan information, including participant names, Social Security numbers, dates of birth, addresses and usernames/passwords, while plan asset data contains numbers for retirement and bank accounts.

The shift to remote work in the past year in response to the coronavirus pandemic has raised concerns about cyberattacks and questions about whose responsibility it is to protect participant and plan data. Even before COVID-19 hit workforces, the 2019 “Official Annual Cybercrime Report” measured an increase in the threat of cyberattacks, noting that such attacks are the fastest growing crime in the U.S. and estimated they could cost more than $6 trillion globally by this year.

While existing federal requirements attempt to minimize risks in DC plans, the GAO notes that more guidance is needed on cybersecurity on a federal level. The GAO explains that not all entities involved in DC plans are considered to have direct engagements with confidential information, and because some of the guidance is voluntary, some parties can choose to disregard it.

The GAO says the Department of Labor (DOL) has failed to clarify fiduciary responsibility for mitigating cybersecurity risks and establish minimum expectations for protecting PII and plan assets, even as more participants enroll in employer-sponsored retirement plans. According to the DOL, plans saw an 180% surge in participants from 1990 to 2018. The amount of assets held into these plans increased seven-fold during this period.

The report highlights four high-risk challenges that the federal government and companies face: establishing a comprehensive cybersecurity strategy and performing effective oversight; securing federal systems and information; protecting cyber critical infrastructure; and protecting privacy and sensitive data.

To tackle these obstacles, the GAO identified 10 action item the DOL and other agencies should take, such as enhancing the federal response to cyber incidents, mitigating global supply chain risks, and addressing cybersecurity workforce management challenges. 

The GAO also recommended that the secretary of labor should formally state whether cybersecurity is a plan fiduciary responsibility for private sector employer-sponsored DC retirement plans under the Employee Retirement Income Security Act (ERISA). Additionally, the GAO suggested the labor secretary develop and issue guidance that identifies the minimum expectations for decreasing cybersecurity risks. This should outline any specific requirements that should be taken by all entities involved in administering private sector DC retirement plans.

In written comments, the DOL responded that it would be helpful to increase cybersecurity awareness, but it did not indicate whether it agreed or disagreed with the GAO’s recommendation on plan fiduciary responsibility. The DOL did note, however, that plan fiduciaries are responsible for acting prudently and solely in the interest of plan participants and beneficiaries, as stated in ERISA Section 404.

The DOL further noted that, in its view, these duties require plan fiduciaries to take appropriate precautions to minimize attacks to their plans. Furthermore, the department says it is currently drafting compliance assistance materials to help raise awareness on cybersecurity.

More information on the GAO’s report can be found here.