Cybersecurity poses a major risk to 401(k) plans, and there is chasm in guidance on how plan fiduciaries should address it, according to a report released Monday from the Government Accountability Office.
In the report made public by several members of Congress, the GAO analyzed feedback from dozens of retirement plan service providers and sponsors. It pointed to several instances of 401(k) accounts being fraudulently raided by thieves, events that have been well-publicized through the private litigation that followed.
But the GAO concluded that plan sponsors, record keepers and others have little to go on as far as guidance from the Department of Labor, and that it also isn’t clear whether fiduciaries have responsibility to minimize cybersecurity risks, according to the report.
“GAO is making two recommendations to DOL to formally state whether it is a fiduciary’s responsibility to mitigate cybersecurity risks in DC plans and to establish minimum expectations for addressing cybersecurity risks in DC plans,” the report stated. “DOL agreed with GAO’s second recommendation, but did not state whether it agreed or disagreed with the first one.”
The report illuminates the web of personal information shared among plan sponsors, record keepers, custodians, third-party administrators and payroll service providers. The information includes names, Social Security numbers, birthdates, addresses, usernames, passwords, asset data and account numbers. The storage and sharing of that data amounts to a mountain of risks.
Among the stakeholders the GAO interviewed, 21 of 22 said that assuring cybersecurity is in fact a fiduciary duty.
How fiduciaries should go about that is currently a bit of a mystery.
“DOL officials told GAO that the agency intends to issue guidance addressing cybersecurity-related issues, but they were unsure when it would be issued,” the report read. “Until DOL clarifies responsibilities for fiduciaries and provides minimum cybersecurity expectations, participants’ data and assets will remain at risk.”
In 2019, the year that Congress commissioned the GAO report, there were roughly half a million reports to the FBI of suspected cybercrimes, with associated losses of more than $3.5 billion, according to the report. With 106 million people participating in 401(k)s and assets of about $6.3 trillion in the system in 2018, that is a big target for cyberfraud, the GAO noted.
Sen. Patty Murray, D-Wash., said in a statement that she would be working with the Biden administration and Congress to further address cybersecurity for 401(k)s.
“It’s clear that in too many ways, the policies we have to protect families as they plan for the future are stuck in the past,” Murray said in the announcement. “This report confirms cybersecurity and retirement security go hand in hand, and it’s time we make sure we have policies that reflect that reality.”
With trillions of dollars in transit, HNW expert sees a bigger picture.
Summit Financial unveiled a suite of eight new tools, including AI lead gen and digital marketing software, while MassMutual forges a new partnership with Orion.
A new analysis shows the number of actions plummeting over a six-month period, potentially due to changing priorities and staffing reductions at the agency.
The strategic merger of equals with the $27 billion RIA firm in Los Angeles marks what could be the largest unification of the summer 2025 M&A season.
Report highlights lack of options for those faced with emergency expenses.
Orion's Tom Wilson on delivering coordinated, high-touch service in a world where returns alone no longer set you apart.
Barely a decade old, registered index-linked annuities have quickly surged in popularity, thanks to their unique blend of protection and growth potential—an appealing option for investors looking to chart a steadier course through today's choppy market waters, says Myles Lambert, Brighthouse Financial.
