Retirement Plan Cyber Security Questions for GAO by Steff Chalk
Retirement plan cybersecurity has been in the headlines for years. Now, retirement plan cybersecurity is capturing attention on Capitol Hill. Specifically, Congress is asking questions about cybersecurity and how it pertains to retirement plans.
In a recent letter to the Government Accountability Office (GAO), Senator Patty Murray, D-Wash., and Congressman Bobby Scott, D-Va., asked 10 key (multi-part) questions about retirement plan cybersecurity. And, the more pointed question of, What the government is doing about retirement plan cybersecurity? The letter inquired about the current cybersecurity protections that are in place for retirement plans, and with an eye towards the future, what else can be done about it moving forward.
The letter highlights the juxtaposition between the widespread adoption of digital platforms and online interfaces in retirement plan cybersecurity and the resulting heightened risks: “…the new methods of connecting savers with their retirement plans, and the digital interactions between the plans and their service providers hold great promise for both increasing financial literacy and improving financial security for retirement. At the same time, they are also a tempting target for criminals who could hack into plans and individuals’ accounts to access information, commit identity fraud, and steal retirement savers’ nest eggs. It is important that workers and retirees know their savings are in fact safe, and that a cyber attack will not throw the retirement they have spent years working and planning for into jeopardy.”
Sen. Murray and Congressman Scott point out that “while the digitization and online storage of account information provide many advantages, it also creates new risks for plans and participants…” In addition, they note, current law does not address many questions relevant to retirement plan cybersecurity, and the challenge is that retirement plans “fall within a patchwork of federal and state laws and regulations.” Given that, Sen. Murray and Congressman Scott have pointedly requested the GAO to address the following questions regarding retirement plan cybersecurity as it relates to Americans and their retirement:
- What potential threats do cyber attacks pose to U.S. retirement plan data and ultimately to plan participants’ financial well-being?
- Given these threats, what are plan sponsors doing to ensure that, as plan fiduciaries, they are taking steps to protect plan data and plan participants? To what extent have plan sponsors and recordkeepers thoroughly assessed security and privacy risks and adopted appropriate measures to ensure that plan data, participants’ personal information, and participants’ retirement savings are adequately safeguarded?
- What are plan service providers doing to ensure they are taking the necessary steps to protect plan data and plan participants from these threats? When a data breach does occur, what are the circumstances and the processes under which plan service providers disclose a breach to a plan sponsor?
- To what extent do federal laws and regulations require plan sponsors, recordkeepers, and other retirement plan service providers to protect plan data and plan participants from these risks?
- In the event of a data breach, what steps should plan sponsors be required to take to protect plan participants?
- Do current ERISA bonding requirements sufficiently insure against these risks? Would requiring cybersecurity insurance in addition to existing ERISA bonding requirements mitigate some of these risks? If so, are these policies widely available? Are they cost prohibitive? If Congress were to contemplate such a requirement, what would a proper amount be, and which parties should be required to be bonded?
- To the extent that cybersecurity insurance is not sufficiently available on the commercial market, should Congress consider establishing a federal cybersecurity insurer?
- To what extent does the National Cyber Strategy and relevant federal agencies’ policies prioritize working with the private sector to deter potential cyber attacks involving participants retirement savings?
- What are retirement plan sponsors, industry stakeholders, and government regulators in other countries doing to prevent cyber attacks involving retirement savings, and what lessons, if any, should the U.S. take from them?
- What are possible legislative or regulatory options to bolster the protection of both the data and accounts of retirement savers?
These retirement plan cybersecurity questions are important for lawmakers and the industry to consider. In addition, plan sponsors should be discussing potential retirement plan cybersecurity risks and the existing protections that are (or, are not) in place. These conversations should be held with both service providers and the retirement committee members. Retirement plan cybersecurity risk may be nothing new, but not being properly armed against cyber-attacks poses too large of a danger to participants’ retirement outcomes for plan sponsors to ignore.