Defined Contribution Plans: Federal Guidance Could Help Mitigate Cybersecurity Risks in 401(k) and Other Retirement Plans

GAO-21-25 Published: Feb 11, 2021. Publicly Released: Mar 15, 2021.
Jump To:
Fast Facts

In 2018, about 106 million people participated in employer-sponsored defined contribution retirement plans, such as 401(k) plans. Assets in these plans were worth about $6.3 trillion.

A host of plan administrators share the personal information used to administer these plans via the internet, which can lead to significant cybersecurity risks. In some cases, there is no federal guidance about how to mitigate these risks.

The Department of Labor hasn't clarified whether plan administrators are responsible for mitigating cybersecurity risks and hasn’t set minimum expectations for protecting personal information. We recommended that the DOL do so.

Image of lock and coins on top of a computer keyboard

Skip to Highlights
Highlights

What GAO Found

In their role administering private sector employer-sponsored defined contribution (DC) retirement plans, such as 401(k) plans, plan sponsors and their service providers—record keepers, third party administrators, custodians, and payroll providers—share a variety of personally identifiable information (PII) and plan asset data among them to assist with carrying out their respective functions (see figure). The PII exchanged for DC plans typically include participant name, Social Security number, date of birth, address, username/password; plan asset data typically includes numbers for both retirement and bank accounts. The sharing and storing of this information can lead to significant cybersecurity risks for plan sponsors and their service providers, as well as plan participants.

Data Sharing Among Plan Sponsors and Service Providers in Defined Contribution Plans

Data Sharing Among Plan Sponsors and Service Providers in Defined Contribution Plans

Federal requirements and industry guidance exist that could mitigate cybersecurity risks in DC plans, such as requirements that pertain to entities that directly engage in financial activities involving DC plans. However, not all entities involved in DC plans are considered to have such direct engagement, and other cybersecurity mitigation guidance is voluntary. Federal law nevertheless requires plan fiduciaries to act prudently when administering plans. However, the Department of Labor (DOL) has not clarified fiduciary responsibility for mitigating cybersecurity risks, even though 21 of 22 stakeholders GAO interviewed expressed the view that cybersecurity is a fiduciary duty. Further, DOL has not established minimum expectations for protecting PII and plan assets. DOL officials told GAO that the agency intends to issue guidance addressing cybersecurity-related issues, but they were unsure when it would be issued. Until DOL clarifies responsibilities for fiduciaries and provides minimum cybersecurity expectations, participants' data and assets will remain at risk.

Why GAO Did This Study

Cyber attacks against information systems (IT) are perpetuated by individuals or groups with malicious intentions, from stealing identities to appropriating money from accounts. DC plans, which allow individuals to accumulate tax-advantaged retirement savings, increasingly rely on the internet and IT systems for their administration. Accordingly, the need to secure these systems has become paramount. Ineffective data security controls can result in significant risks to plan data and assets. In 2018, DC plans enrolled 106 million participants and held nearly $6.3 trillion in assets, according to DOL.

This report examines (1) the data that sponsors and providers exchange during the administration of DC plans and their associated cybersecurity risks, and (2) efforts to assist sponsors and providers to mitigate cybersecurity risks during the administration of DC plans. GAO interviewed key entities involved with DC plans, such as sponsors and record keepers, DOL officials and industry stakeholders; and reviewed relevant federal laws, regulations, and guidance.

Skip to Recommendations

Recommendations

GAO is making two recommendations to DOL to formally state whether it is a fiduciary's responsibility to mitigate cybersecurity risks in DC plans and to establish minimum expectations for addressing cybersecurity risks in DC plans. DOL agreed with GAO's second recommendation but did not state whether it agreed or disagreed with the first one. GAO believes both recommendations are warranted.

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Labor The Secretary of Labor should formally state whether cybersecurity for private sector employer-sponsored defined contribution retirement plans is a plan fiduciary responsibility under ERISA. (Recommendation 1)
Open
In February 2021, DOL neither agreed nor disagreed with this recommendation. The agency stated that plan fiduciaries must act prudently and solely in the interest of plan participants and beneficiaries, and that these duties require plan fiduciaries to take appropriate precautions to mitigate risks of malfeasance to their plans, whether cyber or otherwise. DOL also cited existing regulations on electronic records and electronic disclosures that include provisions to ensure systems are safe and personal information is protected. While these regulations are important, we believe making a formal statement will help ensure that plan fiduciaries are clear on their responsibility to mitigate cybersecurity risk in private sector employer-sponsored DC retirement plans to better protect PII and plan assets. In April 2021, DOL announced new guidance for plan sponsors, plan fiduciaries, record keepers and plan participants on best practices for maintaining cybersecurity, including tips on how to protect the retirement benefits of America's workers. DOL issued three forms of cybersecurity guidance: 1) Tips for Hiring a Service Provider; 2) Cybersecurity Program Best Practices; and 3) Online Security Tips. Within Cybersecurity Program Best Practices, DOL states that "responsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks," and "the Employee Benefits Security Administration has prepared the following best practices for use by recordkeepers and other service providers responsible for plan-related IT systems and data, and for plan fiduciaries making prudent decisions on the service providers they should hire." As of September 2022, GAO asserts that these DOL actions amount to a statement by DOL that describes the responsibility of plan fiduciaries under ERISA to include mitigating cybersecurity risk in retirement plans.
Department of Labor The Secretary of Labor should develop and issue guidance that identifies minimum expectations for mitigating cybersecurity risks that outline the specific requirements that should be taken by all entities involved in administering private sector employer-sponsored defined contribution retirement plans. (Recommendation 2)
Open
DOL agreed that increasing awareness of fiduciaries' duties under ERISA with respect to cybersecurity would be helpful. DOL stated it is drafting compliance assistance materials to help (1) increase awareness among plan fiduciaries of DOL's position on cybersecurity risk mitigation and (2) ensure that fiduciaries satisfy their ERISA obligations when selecting and monitoring service providers. We believe that, in addition, DOL should identify minimum expectations for mitigating cybersecurity risks for all entities involved in the administration of DC plans. GAO believes that fully implementing this recommendation will provide assurances to the agency, and to DC plan participants and beneficiaries, that PII and plan asset data are being adequately and consistently protected in DC retirement plans. In April 2021, DOL announced new guidance for plan sponsors, plan fiduciaries, record keepers and plan participants on best practices for maintaining cybersecurity, including tips on how to protect the retirement benefits of America's workers. DOL issued three forms of cybersecurity guidance: 1) Tips for Hiring a Service Provider; 2) Cybersecurity Program Best Practices; and 3) Online Security Tips. Within Cybersecurity Program Best Practices, DOL states that "plans' service providers should: have a formal, well documented cybersecurity program; conduct prudent annual risk assessments; have reliable annual third party audit of security controls; have strong access control procedures; conduct periodic cybersecurity awareness training; encrypt sensitive data; implement strong technical controls, among other items. Within Tips For Hiring a Service Provider with Strong Cybersecurity Practices, DOL indicated that plan sponsors should use service providers that follow strong cybersecurity practices; the guidance provides information on how plan administrators are to evaluate providers' cybersecurity posture. As of September 2022, we maintain that these statements and guidance identify for plan administrators minimum expectations and specific requirements for mitigating cybersecurity risks in retirement plans.

Full Report

GAO Contacts