Published:
Murray, Scott, Hassan Release GAO Report On Retirement Cybersecurity Which Recommends Department of Labor Issue Guidance
Report confirms cyber threats
pose major risk to the over one hundred million Americans with a private
defined contribution retirement plan, like a 401k
As
of 2018, 106 million people were participating in private sector
employer-sponsored defined contribution retirement plans with assets of nearly
$6.3 trillion
GAO
recommends Department of Labor issue guidance on fiduciaries’ responsibilities
regarding cybersecurity
Murray: “This report confirms
cybersecurity and retirement security go hand in hand, and it’s time we make
sure we have policies that reflect that reality.”
Scott: “The hard-earned retirement savings of Americans must remain safe and protected against potential cyberattacks.”
Hassan: “Americans who plan and
save for retirement should be able to count on the security of their savings,
but a cyberattack can put that all in jeopardy in the blink of an eye.”
(Washington, D.C.) – Today, Senator Patty Murray (D-WA),
Chair of the Senate Health, Education, Labor, and Pensions (HELP) Committee,
Congressman Bobby Scott, Chair of the House Education and Labor Committee, and
Senator Maggie Hassan (D-NH) released a report from the
Government Accountability Office looking at the risk cybersecurity threats pose
to retirement plans that serve over 100 million people. GAO conducted its
investigation in response to an inquiry the Members sent in
2019.
“It’s clear that in too many ways, the
policies we have to protect families as they plan for the future are stuck in
the past. This report confirms cybersecurity and retirement security go hand in
hand, and it’s time we make sure we have policies that reflect that reality.
I’ll be working with my colleagues, and with the Biden Administration to follow
through on the findings in this report so we can make sure workers and retirees
know their savings are in fact safe, and that a cyberattack will not throw their
retirement into jeopardy,” said
Senator Murray.
“The hard-earned retirement savings of
Americans must remain safe and protected against potential cyberattacks. That’s
why Senator Murray, Senator Hassan, and I asked GAO to conduct this critical
review. GAO’s highly anticipated report provides useful information on
the threats and vulnerabilities confronting retirement savings plans and
includes recommendations to the Labor Department for action. I look forward to
working with my colleagues and the Biden Administration on addressing
GAO’s recommendations and safeguarding workers’ retirement savings,” said Chairman Robert C. “Bobby” Scott
(VA-03), of the House Committee on Education and Labor.
“Americans who plan and save for retirement
should be able to count on the security of their savings, but a cyberattack can
put that all in jeopardy in the blink of an eye,” said Senator Hassan. “This GAO report
makes clear just how important it is to strengthen cybersecurity for retirement
plans. I look forward to working with my colleagues on both sides of the aisle
to follow through on the report’s recommendations by modernizing cybersecurity
requirements for those who administer retirement plans.”
The report looked at the exchange of
people’s personal and financial information during the administration of
retirement plans and the cybersecurity risks associated with this. It also
examined federal and industry efforts to mitigate cybersecurity. The report
recommends the Department of Labor should make clear whether fiduciaries are
responsible for cybersecurity, and issue guidance on minimum expectations for
mitigating cybersecurity risks.
“Private sector employer-sponsored DC
retirement plans are a crucial component of retirement security for millions of
Americans. In many cases, they may hold a participant’s life savings. A single
cyber attack at any point in the complex web of entities working together to
administer a retirement plan could cause enormous losses of both PII and plan
assets, which could lead to identity theft or severe financial and other
ramifications for plan participants. Accordingly, it has become imperative that
industry and government prevention and mitigation efforts evolve to keep pace
with these threats,” wrote
GAO in the conclusion of the report.
“While federal and private sector industry
partners have efforts to help mitigate cybersecurity risks, many of these
efforts do not directly apply to several of the various entities that
administer DC plans. As a result, plan fiduciaries and their service providers
rely on a patchwork of federal regulations, guidance, and industry leading
practices to help them mitigate cybersecurity risk in DC plans. If DOL is to
have reasonable assurance that plans have effective cybersecurity measures in place,
it must be sure that plan fiduciaries understand their responsibilities in
protecting PII and plan assets. Until DOL formally clarifies plan fiduciaries’
responsibilities and provides minimum expectations related to cybersecurity,
fiduciaries may not realize that they could be liable for losses they were
obligated to prevent, and plans and their participants will continue to be
vulnerable to financial losses and PII breaches. Such risks could lead to the
erosion of confidence in our nation’s private pension system.”
Read the full GAO report HERE.
###
