Citing data breaches in multiple industries, the U.S. Government Accountability Office on Monday called on the Labor Department to step up protections for investors in retirement plans against the growing threat of cyber theft.
In a report on the cybersecurity of the nation’s private retirement industry, Congress’s watchdog agency recommended that the Labor Department, which regulates 401(k) and other retirement plans, clarify that employers and administrators that serve as 401(k) plan fiduciaries have a legal responsibility to protect participants’ private information and savings from online theft.
The GAO also called on the Labor Department to issue standards to guide the retirement industry in protecting 401(k) accounts.
Until the Labor Department takes such steps, “participants’ data and assets will remain at risk,” the report said, adding that “it has become imperative that industry and government prevention and mitigation efforts evolve to keep pace with these threats.”
SHARE YOUR THOUGHTS
What steps have you taken to protect your 401(k)s and other assets against cybersecurity threats? Join the conversation below.
Labor Department officials declined to comment.
In the report, Labor Department officials told GAO investigators that they believe cybersecurity is a large problem for retirement plans and that the department plans to issue guidance to 401(k) sponsors and administrators on protecting 401(k) participants from breaches.
Little data on 401(k) breaches is available.
Those who work in the retirement industry have said there has been a rise in online theft of both 401(k) participants’ personal information and savings in recent years.
About $11.3 trillion is in individual retirement accounts, and 401(k)-like accounts hold $9.3 trillion.
Recent court cases, involving hundreds of thousands of dollars allegedly stolen from three people in separate 401(k) plans, highlight the risks to workers and retirees.
While 401(k) record-keepers generally promise to reimburse consumers for such losses, there are no guarantees, and some participants have sued employers and record-keepers to seek reimbursement.
According to the GAO report, a big source of vulnerability comes from the data employers and 401(k) service providers share electronically, including participants’ Social Security numbers, addresses and birth dates.
In some cases, the report said, insiders employed by 401(k) plan sponsors have perpetrated these crimes.
A patchwork of federal laws and regulations governs responsibility for cybersecurity in 401(k) plans, the report said. But individual laws might not apply to all the parties involved in administering the plans, it said.
The federal Employee Retirement Income Security Act of 1974, which governs 401(k) plans, was enacted before the internet. As a result, questions including who bears the risk for losses associated with cyber theft remain ill-defined, said a 2019 letter from Rep.
Bobby Scott
(D., Va.) and Sen.
Patty Murray
(D., Wash.) to the GAO requesting the report.
In a statement, Sen. Murray said: “This report confirms cybersecurity and retirement security go hand in hand, and it’s time we make sure we have policies that reflect that reality.”
Write to Anne Tergesen at anne.tergesen@wsj.com
Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8