Cybersecurity concerns out of the Government Accounting Office are sending a message to all. And retirement plan sponsors should be paying attention. The U.S. Government Accounting Office Cyber-duties are widening, as evidenced by the growing conversations and resources around cybersecurity concerns. In tandem, the U.S. Congress is asking questions about cybersecurity and how it pertains to retirement plans.
As a reminder, it is a good time to reference the letter previously sent to the Government Accountability Office (GAO) by Senator Patty Murray, D-Wash., and Congressman Bobby Scott, D-Va. The letter asked 10 key (multi-part) questions about retirement plans and cybersecurity. The question remains, what is the government doing about retirement plan cybersecurity? The letter inquired about the current cybersecurity protections that are in place for retirement plans, and asked, what else can be done about it moving forward.
Sen. Murray and Congressman Scott point out that “while the digitization and online storage of account information provide many advantages, it also creates new risks for plans and participants…” In addition, they note, current law does not address many questions relevant to retirement plan cybersecurity, and the challenge is that retirement plans “fall within a patchwork of federal and state laws and regulations.” Sen. Murray and Congressman Scott have respectfully requested the GAO to address the following:
- Given the potential threats cyber attacks pose to U.S. retirement plan data it seems that many plan participants and beneficiaries may be at risk. Plan fiduciaries should be taking steps to protect plan data and plan participants.
- To what extent have plan sponsors and recordkeepers thoroughly assessed security and privacy risks?
- Have plan fiduciaries adopted appropriate measures to ensure that plan data, participants’ personal information, and participants’ retirement savings are adequately safeguarded?
- What are plan service providers doing to ensure they are taking the necessary steps to protect plan data and plan participants from these threats?
- In the event of a data breach, what steps should plan sponsors be required to take to protect plan participants?
- Do current ERISA bonding requirements sufficiently insure against these risks? Would requiring cybersecurity insurance, in addition to existing ERISA bonding requirements mitigate some of these risks? If so, are these policies widely available?
- If Congress were to contemplate such a requirement, what would a proper amount be, and which parties should be required to be bonded?
- To the extent that cybersecurity insurance is not sufficiently available on the commercial market, should Congress consider establishing a federal cybersecurity insurer?
- To what extent do the National Cyber Strategy and relevant federal agencies’ policies prioritize working with the private sector to deter potential cyber attacks involving participants retirement savings?
Plan sponsors need to be asking themselves – and their fellow retirement plan fiduciaries and Retirement Committees:
- Are you confident that your plan PPTs/employees practice good cyber/fraud hygiene in the workplace?
- When was the last time you evaluated your Plans’ cybersecurity & fraud protections?
- How much should cybersecurity concerns and fraud be weighted when scoring RFP responses?
- What are the basic resources plan sponsors can expect from their provider to help prevent fraud?
If you are interested in learning more on what prudent plan fiduciaries are doing to actively protect their plan participants’ assets, then attend the next TPSU Virtual Town Hall Meeting.
CLICK Here to Register for Preventing Fraud in Your Retirement Plan – co-hosted by TPSU, DCIIA, & SPARK. The program time is Friday, June 12, 2020 from 2:00 PM – 3:00 PM ET.
Learn how you can better protect your plan assets and guard participants against retirement plan fraud, as panelists delve into cybersecurity concerns, data security, insurance coverage, risk management, and guarantees.