GAO Asked to Examine Retirement System Cybersecurity

In a letter to the Government Accountability Office (GAO), lawmakers said retirement savings are "a tempting target for criminals who could hack into plans and individuals’ accounts to access information, commit identity fraud, and steal retirement savers’ nest eggs."

Senator Patty Murray, D-Washington, Ranking Member of the Senate Health, Education, Labor, and Pensions (HELP) Committee, and Congressman Bobby Scott, D-Virginia, Chairman of the House Committee on Education & Labor, sent a letter to Gene Dodaro, Comptroller General of the U.S. Government Accountability Office (GAO), requesting that the GAO examine the cybersecurity of the retirement system.

The letter identifies 10 questions the lawmakers would like the GAO to answer, following its examination.

Never miss a story — sign up for PLANADVISER newsletters to keep up on the latest retirement plan adviser news.

“Retirement savings held in defined contribution plans, like 401(k) plans, have grown steadily in recent years, reaching over $5 trillion in 2017. These savings, the new methods of connecting savers with their retirement plans, and the digital interactions between the plans and their service providers hold great promise for both increasing financial literacy and improving financial security for retirement. At the same time, they are also a tempting target for criminals who could hack into plans and individuals’ accounts to access information, commit identity fraud, and steal retirement savers’ nest eggs. It is important that workers and retirees know their savings are in fact safe, and that a cyberattack will not throw the retirement they have spent years working and planning for into jeopardy,” they wrote.

According to Summer Conley, partner in the Los Angeles office of Drinker Biddle & Reath LLP, and Michael Rosenbaum, a partner in the firm’s Chicago office, the Employee Retirement Income Security Act (ERISA) regulation governing electronic disclosure of plan communications requires that plan fiduciaries take “appropriate and necessary” steps designed to make sure the electronic system for providing plan information protects the confidentiality of personal information and includes measures designed to prevent unauthorized access to it. Thus, a retirement plan committee has an obligation to protect participant information provided through an electronic system.

The ERISA Advisory Council asked the Department of Labor (DOL) to provide guidance on how plan sponsors should evaluate the cybersecurity risks they face and to require them to be familiar with the various security frameworks used to protect data as well as to build a cybersecurity process.

A new Aon plc report highlights that as companies continue to use technology to speed up the transfer of information, not only are game-changing business opportunities created, but so is increased cyber risk.  The Segal Group has recommended steps defined contribution (DC) plan sponsors can take to hedge against cybersecurity risk.

At least one DC plan provider, John Hancock Retirement Plan Services (JHRPS), offers a Cybersecurity Guarantee to reimburse eligible participants for unauthorized transfers from their 401(k) retirement accounts.

«