From the U.S. Government Accountability Office, www.gao.gov

Transcript for: The Cybersecurity Risks Facing Retirement Savings Plans

Description: More than 100 million workers participate in
employer-sponsored retirement savings plans--such as 401Ks. Together,
their contributions represent nearly $6.3 trillion in assets. However,
these assets and individuals' data, which are used for record keeping,
make for attractive targets for cyberattacks. And, if attacked, loses
could have significant impacts on the privacy and financial security of
aging Americans. We talk with two directors who have a new report out on
the risks to retirement savings data and the federal government's role
in protecting it.

Related GAO Work: GAO-21-25, Defined Contribution Plans: Federal
Guidance Could Help Mitigate Cybersecurity Risks in 401(k) and Other
Retirement Plans

Released: March 2021

[Intro Music]

[Nick Marinos:] The stakes don't get much higher than securing people's
most sensitive information and assets from cyberattacks. 

[Holly Hobbs:] Hi and welcome to GAO's Watchdog Report, your source for
news and information from the U.S. Government Accountability
Office--celebrating 100 years of fact-based, non-partisan government
oversight. I'm Holly Hobbs. More than 100 million workers participate in
employer-sponsored retirement savings plans--such as 401Ks. Together,
their contributions represent nearly $6.3 trillion in assets. However,
these assets and individuals' data, which are used for record keeping,
make for attractive targets for cyberattacks. And, if attacked, loses
could have significant impacts on the privacy and financial security of
aging Americans. 

Today we talk with two directors who have a new report out on the risks
to retirement savings data and the federal government's role in
protecting it. Joining us are.

- Kris Nguyen--a director in our Education, Workforce, and Income
Security Team--and 
-	Nick Marinos--a director in our Information Technology and
Cybersecurity Team. 

Thank you for joining us Kris and Nick! 

[Kris Nguyen:] Thank you for having me.

[Nick Marinos:] Thanks a lot, Holly!

[Holly Hobbs:] So Kris, can you tell us a little bit about the kind of
information that is collected for retirement savings plans, and how it's
used?

[Kris Nguyen:] Retirement plan sponsors and their service providers
collect a range of personal identifiable information that enroll
participants in retirement plans, as well as to provide services through
the plans to their participants. The information they collect can
include names, social security number, date of birth, as well as bank
account information. 

[Holly Hobbs:] And Nick, what are the kinds of risks and threats to
individuals' data? 

[Nick Marinos:] Well Holly, it goes without saying that the more
valuable and personal the information, the longer the list of threats.
Maybe the easiest thing to do here is to just walk you through an
example that combines a few of these threats. So let's say an employee,
approaching retirement, receives an email that looks to be legitimately
coming from the retirement plan provider. And it contains a link to a
website that also looks legit. It asked the individual to provide some
personal information--maybe an account number, address information, or
maybe even something more secretive like their password to the account.
But, this email is an example of a spear-phishing attack, which targets
an individual in the hopes of fooling them into revealing information
that would be otherwise kept private. Now, what could be done with that
information? Well first, the information could be used to actually take
over an individual's account. And although we don't have a great sense,
in the current sources of information on cyberattacks as to the numbers
by industry, in recent years we have seen a number of legal claims
alleged that unauthorized access has indeed occurred. So for example,
one individual filed a claim that alleged over the course of two months,
that a threat actor was able to obtain almost $250,000 from an
unauthorized distribution of a participant's retirement account, after
that threat actor had obtained some of that participant's PII, including
the last four digits of their social security number, date of birth, and
other information that they used to gain access to their online account. 

[Holly Hobbs:] So, what are the requirements for protecting this data? 

[Nick Marinos:] There are a few federal reporting requirements--one in
law and a couple that are more like rules and regulations. So, on the
law side, we have Gramm-Leach-Bliley (Act), which was enacted,
essentially, to expand and tighten consumer data privacy safeguards, and
to help emphasize that financial institutions themselves have to respect
the privacy of customers and customers' personal information. Then we've
got the Federal Trade Commission that came out with a safeguard rule
which basically calls for is for financial institutions to actually have
an information security program in place, and then actually to put
forward security protections to reduce any risks that personal
information might be compromised or stolen. But here's the thing, these
only apply to entities that are identified as financial institutions.
But the reality is in the retirement plan industry, that there are more
entities that play a part that may not actually be financial
institutions. Now the Department of Labor also has regulations with
respect to the industry, particularly related to like plan disclosures
and record attention. But I'll let Kris get into talking a little bit
about what we found with respect to Labor.

[Holly Hobbs:] So Kris?

[Kris Nguyen:] As Nick noted, many of the existing efforts do not
directly apply to the various entities that administer these
employer-sponsored retirement accounts. The Department of Labor has
stated that plan sponsors and their service providers should have secure
systems to protect the covered individuals and their personal
information. However, DOL has not issued a formal statement on whether
addressing cybersecurity risks is a fiduciary responsibility for the
plan sponsors and their service providers, nor has it provided guidance
regarding minimum expectations for addressing these risks.

[Music:]

[Holly Hobbs:] So, it sounds like the federal government requires
financial institutions to protect the data they collect for retirement
plans, but that other entities that are not financial institutions have
access to this data, and are not held to the same requirements for
ensuring this information is safe from cyberattacks. Kris, did we make
any recommendations to improve the security of data used for
employer-sponsored retirement plans?

[Kris Nguyen:] We made two recommendations to the Department of Labor to
address the gaps that we found. We recommended that DOL formally state
whether cybersecurity is a fiduciary responsibility for retirement plan
sponsors and their service providers, and also to develop guidance to
provide minimum expectations for addressing these risks, and to provide
requirements that should be taken by all entities involved in
administering these plans. 

[Holly Hobbs:] And last question for you both--what's the bottom line of
this report? Kris, let's start with you.

[Kris Nguyen:] The bottom line is that millions of Americans rely on
their retirement accounts for their retirement security, and in many
cases, they hold the participants' life savings. And a cyberattack could
cause significant loses. Our recommendations to the Department of Labor
will help the agency in providing reasonable assurances that personal
information and plan asset data will be adequately protected. 

[Holly Hobbs:] And Nick?

[Nick Marinos:] Yeah, I would agree with Kris. I mean the stakes don't
get much higher than securing people's most sensitive information and
assets from cyberattacks. And unfortunately we're reading in the news
every single day how cyberthreats are definitely not going away any time
soon. So that really makes it important for public and private sector
organizations within the retirement plan industry to take these issues
seriously in order to overcome them.

[Holly Hobbs:] That was Kris Nguyen and Nick Marinos talking about GAO's
recent report on the cybersecurity of employer-sponsored retirement
plans. Thank you for your time Nick and Kris! 

[Kris Nguyen:] Thank you!

[Nick Marinos:] Thanks again, Holly. Appreciate it!

[Holly Hobbs:] And thank you for listening to the Watchdog Report. To
hear more podcasts, subscribe to us on Apple Podcasts. And make sure you
leave a rating and review to let others know about the work we're doing.
For more from the congressional watchdog, the U.S. Government
Accountability Office, visit us at GAO.gov.