From the U.S. Government Accountability Office, www.gao.gov Transcript for: The Cybersecurity Risks Facing Retirement Savings Plans Description: More than 100 million workers participate in employer-sponsored retirement savings plans--such as 401Ks. Together, their contributions represent nearly $6.3 trillion in assets. However, these assets and individuals' data, which are used for record keeping, make for attractive targets for cyberattacks. And, if attacked, loses could have significant impacts on the privacy and financial security of aging Americans. We talk with two directors who have a new report out on the risks to retirement savings data and the federal government's role in protecting it. Related GAO Work: GAO-21-25, Defined Contribution Plans: Federal Guidance Could Help Mitigate Cybersecurity Risks in 401(k) and Other Retirement Plans Released: March 2021 [Intro Music] [Nick Marinos:] The stakes don't get much higher than securing people's most sensitive information and assets from cyberattacks. [Holly Hobbs:] Hi and welcome to GAO's Watchdog Report, your source for news and information from the U.S. Government Accountability Office--celebrating 100 years of fact-based, non-partisan government oversight. I'm Holly Hobbs. More than 100 million workers participate in employer-sponsored retirement savings plans--such as 401Ks. Together, their contributions represent nearly $6.3 trillion in assets. However, these assets and individuals' data, which are used for record keeping, make for attractive targets for cyberattacks. And, if attacked, loses could have significant impacts on the privacy and financial security of aging Americans. Today we talk with two directors who have a new report out on the risks to retirement savings data and the federal government's role in protecting it. Joining us are. - Kris Nguyen--a director in our Education, Workforce, and Income Security Team--and - Nick Marinos--a director in our Information Technology and Cybersecurity Team. Thank you for joining us Kris and Nick! [Kris Nguyen:] Thank you for having me. [Nick Marinos:] Thanks a lot, Holly! [Holly Hobbs:] So Kris, can you tell us a little bit about the kind of information that is collected for retirement savings plans, and how it's used? [Kris Nguyen:] Retirement plan sponsors and their service providers collect a range of personal identifiable information that enroll participants in retirement plans, as well as to provide services through the plans to their participants. The information they collect can include names, social security number, date of birth, as well as bank account information. [Holly Hobbs:] And Nick, what are the kinds of risks and threats to individuals' data? [Nick Marinos:] Well Holly, it goes without saying that the more valuable and personal the information, the longer the list of threats. Maybe the easiest thing to do here is to just walk you through an example that combines a few of these threats. So let's say an employee, approaching retirement, receives an email that looks to be legitimately coming from the retirement plan provider. And it contains a link to a website that also looks legit. It asked the individual to provide some personal information--maybe an account number, address information, or maybe even something more secretive like their password to the account. But, this email is an example of a spear-phishing attack, which targets an individual in the hopes of fooling them into revealing information that would be otherwise kept private. Now, what could be done with that information? Well first, the information could be used to actually take over an individual's account. And although we don't have a great sense, in the current sources of information on cyberattacks as to the numbers by industry, in recent years we have seen a number of legal claims alleged that unauthorized access has indeed occurred. So for example, one individual filed a claim that alleged over the course of two months, that a threat actor was able to obtain almost $250,000 from an unauthorized distribution of a participant's retirement account, after that threat actor had obtained some of that participant's PII, including the last four digits of their social security number, date of birth, and other information that they used to gain access to their online account. [Holly Hobbs:] So, what are the requirements for protecting this data? [Nick Marinos:] There are a few federal reporting requirements--one in law and a couple that are more like rules and regulations. So, on the law side, we have Gramm-Leach-Bliley (Act), which was enacted, essentially, to expand and tighten consumer data privacy safeguards, and to help emphasize that financial institutions themselves have to respect the privacy of customers and customers' personal information. Then we've got the Federal Trade Commission that came out with a safeguard rule which basically calls for is for financial institutions to actually have an information security program in place, and then actually to put forward security protections to reduce any risks that personal information might be compromised or stolen. But here's the thing, these only apply to entities that are identified as financial institutions. But the reality is in the retirement plan industry, that there are more entities that play a part that may not actually be financial institutions. Now the Department of Labor also has regulations with respect to the industry, particularly related to like plan disclosures and record attention. But I'll let Kris get into talking a little bit about what we found with respect to Labor. [Holly Hobbs:] So Kris? [Kris Nguyen:] As Nick noted, many of the existing efforts do not directly apply to the various entities that administer these employer-sponsored retirement accounts. The Department of Labor has stated that plan sponsors and their service providers should have secure systems to protect the covered individuals and their personal information. However, DOL has not issued a formal statement on whether addressing cybersecurity risks is a fiduciary responsibility for the plan sponsors and their service providers, nor has it provided guidance regarding minimum expectations for addressing these risks. [Music:] [Holly Hobbs:] So, it sounds like the federal government requires financial institutions to protect the data they collect for retirement plans, but that other entities that are not financial institutions have access to this data, and are not held to the same requirements for ensuring this information is safe from cyberattacks. Kris, did we make any recommendations to improve the security of data used for employer-sponsored retirement plans? [Kris Nguyen:] We made two recommendations to the Department of Labor to address the gaps that we found. We recommended that DOL formally state whether cybersecurity is a fiduciary responsibility for retirement plan sponsors and their service providers, and also to develop guidance to provide minimum expectations for addressing these risks, and to provide requirements that should be taken by all entities involved in administering these plans. [Holly Hobbs:] And last question for you both--what's the bottom line of this report? Kris, let's start with you. [Kris Nguyen:] The bottom line is that millions of Americans rely on their retirement accounts for their retirement security, and in many cases, they hold the participants' life savings. And a cyberattack could cause significant loses. Our recommendations to the Department of Labor will help the agency in providing reasonable assurances that personal information and plan asset data will be adequately protected. [Holly Hobbs:] And Nick? [Nick Marinos:] Yeah, I would agree with Kris. I mean the stakes don't get much higher than securing people's most sensitive information and assets from cyberattacks. And unfortunately we're reading in the news every single day how cyberthreats are definitely not going away any time soon. So that really makes it important for public and private sector organizations within the retirement plan industry to take these issues seriously in order to overcome them. [Holly Hobbs:] That was Kris Nguyen and Nick Marinos talking about GAO's recent report on the cybersecurity of employer-sponsored retirement plans. Thank you for your time Nick and Kris! [Kris Nguyen:] Thank you! [Nick Marinos:] Thanks again, Holly. Appreciate it! [Holly Hobbs:] And thank you for listening to the Watchdog Report. To hear more podcasts, subscribe to us on Apple Podcasts. And make sure you leave a rating and review to let others know about the work we're doing. For more from the congressional watchdog, the U.S. Government Accountability Office, visit us at GAO.gov.