In a report (the Report) released last month,1 the Government Accountability Office (GAO) examines cybersecurity risks associated with the administration of employer-sponsored defined contribution (DC) retirement plans, such as 401(k) plans.2 The Report calls on the Department of Labor (DOL) to address whether it is a fiduciary's responsibility under the Employee Retirement Income Security Act of 1974 (ERISA) to mitigate cybersecurity risks to DC plans and to issue new guidance setting minimum standards for mitigating those risks.
According to the most current DOL data, approximately 106 million people participated in DC plans in 2018, and assets in these plans totaled nearly $6.3 trillion.3 DC plans have become the dominant type of private-sector employer-sponsored plan, and often represent plan participants' sole source of retirement savings.4 However, given that plan sponsors and service providers rely more heavily on the internet and IT systems to administer DC plans, these plan assets may also be increasingly vulnerable to cyber attacks.
As outlined in the Report, this is an issue of critical significance because plan administration involves the collection, storage, and exchange of vast amounts of personally identifiable information (PII) and plan asset data.5 Given the sensitive nature of this information, and the regularity with which it is shared between entities, a cyber attack could have disastrous consequences, such as identity theft or theft of retirement savings.6
The Report examines current federal reporting requirements and mitigation efforts as well as industry efforts to mitigate cybersecurity risks, and underscores that they are not definitive or comprehensive, and are often only voluntary. Accordingly, GAO looks to DOL, which, under ERISA, is tasked with protecting the rights and financial security of plan participants.7 In preparing the Report, GAO consulted DOL officials, who expressed the view that plan administrators' fiduciary obligations under ERISA extend to managing cybersecurity risks to plan assets and PII.8 However, DOL has yet to issue formal guidance on whether managing cybersecurity risks is a fiduciary responsibility.9 In the absence of such guidance, GAO reports that plan administrators lack clarity with regard to what is expected of them. They also remain subject to legal action alleging a failure to protect assets or information from cyber attacks.10 Relatedly, without DOL regulations setting out minimum cybersecurity expectations for plan sponsors and service providers, gaps and inconsistencies in DC plans' security measures persist.11
GAO concludes the Report with two recommendations to DOL. First, GAO calls on the Secretary of Labor to formally state whether cybersecurity for DC plans is a plan fiduciary responsibility under ERISA.12 Second, GAO recommends that the Secretary develop and issue guidance that identifies minimum expectations for mitigating cybersecurity risks, outlining specific requirements that should be followed by all entities involved in plan administration.13 Prior to releasing the Report, GAO provided these recommendations to DOL. With regard to the first recommendation, DOL did not indicate whether it agreed or disagreed; however, the agency responded that in its view, plan fiduciaries' duties under ERISA require fiduciaries to take appropriate precautions to mitigate risks of malfeasance—cyber or otherwise.14 As to the second recommendation, DOL agreed that increasing awareness of fiduciaries' duties under ERISA with respect to cybersecurity would be helpful.15 DOL is drafting compliance assistance materials to help (1) increase plan fiduciaries' awareness of DOL's position on cybersecurity risk mitigation and (2) ensure that fiduciaries satisfy their obligations under ERISA when selecting and monitoring service providers for plan administration.16 DOL did not provide a timeframe for when it would release these materials.
Plan administrators should not wait for DOL to act to consider whether they should implement appropriate preventative measures to address these risks. The Report cites to numerous industry guides and standards that can assist plan administrators in these efforts.17
1. GAO-21-25, Defined Contribution Plans: Federal Guidance Could Help Mitigate Cybersecurity Risks in 401(k) and Other Retirement Plans (2021), https://www.gao.gov/products/gao-21-25.
2. DC plans are employer-sponsored account-based retirement plans into which employees and employers make contributions, and which provide a tax advantage to retirement savings. DC plans are distinct from defined benefit plans, which traditionally promised a lifetime retirement benefit calculated using a formula that considered an employee's salary, years of service, and retirement age.
3. GAO-21-25, at 2.
4. Id. at 2–3, 5.
5. Id. at 2, 11–14.
6. Id. at 14.
7. Id. at 24.
9. Id. at 25.
10. Id. at 16–17 (summarizing recent claims).
11. Id. at 30.
13. Id. at 31.
17. Id. at 21–24.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.