The Government Accountability Office has added its voice to those that highlight the critical importance of cybersecurity, but they go one better. In a new report, they call on the Department of Labor to set minimum standards for mitigating cybersecurity risks and to formally state whether it is a fiduciary’s responsibility to mitigate those risks in defined contribution plans.
In 2018, approximately 106 million people participated in employer-sponsored DC plans, with assets collectively amounting to about $6.3 trillion, the GAO observes in Defined Contribution Plans: Federal Guidance Could Help Mitigate Cybersecurity Risks in 401(k) and Other Retirement Plans. And despite that importance, and the increase in cyber crime that puts those assets and the security of plans and plan participants at risk, the GAO says, federal activity has not been comprehensive, coordinated nor definitive—and it notes that none other than officials from the DOL itself say that “Although a compelling need exists, DOL has not issued a formal statement, either in a document or on its website, on whether it is a fiduciary’s responsibility to mitigate cybersecurity risks in retirement plans.” Nor has it set “minimum expectations for protecting personal information,” the GAO adds.
Setting the Table
The GAO observes that several entities may be part of administering a DC plan; typically, the employer and service providers with which the employer contracts for assistance in running specific aspects of the plan. And administering a plan can involve sharing a “vast amount” of personally identifiable information (PII) and plan asset data. For instance, the report says, plan sponsors enrolling participants can entail collecting a large amount of PII, which is then shared.
That sharing, and the storage of that information, “can lead to significant cybersecurity risks for plan sponsors and their service providers, as well as plan participants,” says the GAO.
“The risks to systems underpinning the nation’s critical infrastructure are increasing, including insider threats from witting and unwitting employees, as security threats evolve and become more sophisticated,” the GAO says. The GAO notes that it has been expressing concern regarding this threat in increasingly specific ways for more than 20 years: Since 1997, safeguarding federal information technology systems and systems that support critical infrastructures has been among its major of concerns, and in that year it designated cybersecurity as a government-wide high-risk area. In 2003, it added protection of critical cyber infrastructure to that high-risk area; in 2015, it added protecting the privacy of PII.
“Given that access to data is so pervasive, personal privacy hinges on ensuring that databases of PII maintained by government agencies or on their behalf are protected both from inappropriate access (i.e., data breaches) as well as inappropriate use (i.e., for purposes not originally specified when the information was collected),” says the report. It continues, “Likewise, the trend in the private sector of collecting extensive and detailed information about individuals needs appropriate limits. The vast number of individuals potentially affected by data breaches at federal agencies and private sector entities in recent years increases concerns that PII is not being properly protected.”
The connectivity of information systems, the internet and other electronic infrastructure increases the potential impact of cyber threats, the GAO says, and it adds that the 2019 Official Annual Cybercrime Report, says that cyber attacks are the fastest growing crime in the United States. Furthermore, it notes, that report says that the global cost of cyber crime had been $3 trillion in 2015 and more than doubled by 2021.
Federal Efforts
Federal law sets a background of requiring plan fiduciaries to act prudently when administering plans, the GAO says. It notes that there are some federal requirements and there is some guidance for the industry that could mitigate cybersecurity risks in DC plans; for instance, requirements that pertain to entities directly engaging in financial activities that involve DC plans. However, the GAO adds, not all entities involved in DC plans are considered to be directly engaged. And some federal measures, such as the Gramm-Leach Bliley Act (GLBA) and the Federal Trade Commission Safeguard Rule, are in force but may not be applicable to all parties involved in administering DC plans.
“Guidance and tools offered by the federal government to mitigate cybersecurity risks may be helpful for the plan sponsors and service providers; however, the guidance and tools are generally voluntary and therefore do not ensure that these entities are taking appropriate actions to mitigate their cybersecurity risks,” says the GAO. It adds that “The guidance and tools may not be relevant to all entities involved in the administration of DC plans; therefore, a comprehensive set of requirements or standards does not exist for protecting the PII and plan asset data in those plans.”
Call to Action
The GAO calls for more deliberate, clear guidance from the federal government, and the DOL in particular. “A host of plan administrators share the personal information used to administer these plans via the internet, which can lead to significant cybersecurity risks. In some cases, there is no federal guidance about how to mitigate these risks,” says the GAO. Further, it says, “The Department of Labor hasn't clarified whether plan administrators are responsible for mitigating cybersecurity risks and hasn’t set minimum expectations for protecting personal information.”
It’s not the first time that the GAO has called for action on cybersecurity. In 2018, the GAO had identified critical actions it said the federal government should take to address four major cybersecurity challenges. They centered on four areas.
1. Establishing a comprehensive cybersecurity strategy and performing effective oversight
- Develop and execute a more comprehensive federal strategy for national cybersecurity and global cyberspace.
- Mitigate global supply chain risks (e.g., installation of malicious software or hardware).
- Address cybersecurity workforce management challenges.
- Ensure the security of emerging technologies (e.g. artificial intelligence and internet of things).
2. Securing federal systems and information
- Improve implementation of government-wide cybersecurity initiatives.
- Address weaknesses in federal agency information security programs.
- Enhance the federal response to cyber incidents.
3. Protecting cyber critical infrastructure
- Strengthen the federal role in protecting the cybersecurity of critical infrastructure.
4. Protecting privacy and sensitive data
- Improve federal efforts to protect privacy and sensitive data.
- Appropriately limit the collection and use of personal information and ensure that it is obtained with appropriate knowledge or consent.
Now the GAO places the onus clearly on the DOL. “Until DOL clarifies responsibilities for fiduciaries and provides minimum cybersecurity expectations, participants’ data and assets will remain at risk,” says the GAO. And it elaborates, “Without DOL formally stating whether mitigating cybersecurity risks is a plan fiduciary’s responsibility, retirement plan administrators may find it difficult to understand what is expected of them with respect to mitigating cybersecurity risks. Further, plan participants cannot be assured that plan administrators are adequately securing their PII and plan asset data to minimize identity theft and potential losses of their retirement assets.”
The GAO suggests that the DOL could:
- adopt existing cybersecurity standards, such as the framework set by the National Institute of Standards and Technology;
- adopt frameworks outlined in the 2016 ERISA Council Report;
- adopt standards the financial sector uses to safeguard data and PII; and
- consider convening a group of relevant stakeholders and experts to develop a set of cybersecurity standards for ERISA plans.
And there may be hope for something definitive. The GAO reports that “DOL officials said that they believe cybersecurity is a large problem for retirement plans, and that the agency has conducted investigations and prosecutions related to cybersecurity incidents, both civil and criminal.” Furthermore, it indicates that the DOL officials suggest ERISA may be applicable. It says that the officials “explained that by design, ERISA is meant to be broad and apply to a wide range of activity, and that its general fiduciary obligations of prudence and loyalty include cybersecurity as well as any other part of plan administration. DOL officials told us that they expect plan administrators to keep their IT systems secure as part of their fiduciary responsibility.”
The GAO makes two very specific recommendations:
- The Secretary of Labor should formally state whether cybersecurity for private sector employer-sponsored defined contribution retirement plans is a plan fiduciary responsibility under ERISA.
- The Secretary of Labor should develop and issue guidance that identifies minimum expectations for mitigating cybersecurity risks that outline the specific requirements that should be taken by all entities involved in administering private sector employer-sponsored defined contribution retirement plans.
“Both recommendations are warranted,” the GAO says. It reports that the DOL has agreed with its second recommendation but that that DOL has not said whether it agreed or disagreed with the first one. The GAO notes that DOL responded that it intends to issue guidance addressing cybersecurity-related issues; however, it was unsure when it would do so.
The consequences of not issuing definitive guidance, warns the GAO, are that “Without guidance identifying expectations for the protection of PII and plan asset data, DOL cannot be assured that this sensitive information is being adequately or consistently protected. Further, the gaps and inconsistencies in how plan sponsors and their service providers implement appropriate security measures will continue to exist. This potential lack of adequate and consistent protection could result in substantial harm to participants and beneficiaries including loss or theft of money, identity theft, or litigation of plan fiduciaries and their administrators.”
