The Department of Labor (DOL) must clarify whether plan administrators are responsible for mitigating cybersecurity risks and set minimum expectations for protecting personally identifiable information (PII), a report by the Government Accountability Office (GAO) said.
In administering private-sector employer-sponsored defined contribution (DC) retirement plans, like 401(k) plans, DOL can hold information associated with these DC plans, such as participant name, Social Security number, date of birth, address, usernames, passwords, and plan asset data typically includes numbers for retirement and bank accounts.
“The sharing and storing of this information can lead to significant cybersecurity risks for plan sponsors and their service providers, as well as plan participants,” wrote GAO.
There is Federal guidance that exists for mitigating cybersecurity risks in DC plans, but “not all entities involved in DC plans are considered to have such direct engagement,” GAO notes.
DOL told GAO that it was planning to issue guidance on cybersecurity-related issues, but did not know when that would be. Participants’ data and assets will be at risk until DOL “clarifies responsibilities for fiduciaries and provides minimum cybersecurity expectations.”
GAO made two recommendations for DOL. The second recommendation was agreed to by DOL, but the agency did not say whether it agreed or disagreed with the first. GAO recommended that DOL formally state whether it is a fiduciary’s responsibility to mitigate cybersecurity risks in DC plans and recommended it establish minimum expectations for addressing cybersecurity risks in DC plans.
GAO did note that 21 of 22 stakeholders that GAO interviewed said that cybersecurity is a fiduciary duty and Federal law requires plan fiduciaries to act prudently when administering plans.