Not only do 401(k) investors have to worry about market risk, but they also have to watch out for cybercriminals who could steal their retirement savings and identity. A Government Accountability Office (GAO) report issued on Monday recommends that the Labor Department issue guidance on the problem.
The GAO report, released by Sen. Patty Murray, D-Wash.; Rep. Bobby Scott, D-Va.; and Sen. Maggie Hassan, D-N.H., reviews cybersecurity threats to retirement plans. The agency conducted this review in response to a 2019 inquiry by the three lawmakers. Murray is chair of the Senate Health, Education, Labor, and Pensions Committee. Scott chairs the House Education and Labor Committee.
Recommended For You
"This report confirms cybersecurity and retirement security go hand in hand, and it's time we make sure we have policies that reflect that reality," Murray said in a release.
According to the GAO report, as of 2018, there were 106 million people in private retirement plans that had roughly $6.3 trillion in assets. It notes that "a host of plan administrators share the personal information used to administer these plans via the internet, which can lead to significant cybersecurity risks. In some cases, there is no federal guidance about how to mitigate these risks."
The GAO's report urges the Labor Department to clarify whether fiduciaries are responsible for cybersecurity—and, if so, to issue guidance on minimum expectations for reducing cybersecurity risks.
Key Dangers
The report highlights that personally identifiable information (PII) is shared throughout the chain of 401(k) providers, starting at the plan sponsor and moving back and forth through third-party administrators, recordkeepers, custodians, and payroll providers.
The GAO states that one cyberattack "at any point in the complex web of entities working together to administer a retirement plan could cause enormous losses of both PII and plan assets, which could lead to identity theft or severe financial and other ramifications for plan participants." It adds that, to prevent this, both industry and government should evolve their methods to keep up with the increase in threats.
The GAO also says that "plan fiduciaries and their service providers rely on a patchwork of federal regulations, guidance, and industry-leading practices to help them mitigate cybersecurity risk in DC [defined contribution] plans."
According to the GAO report, Labor Department (DOL) officials said "the agency intends to issue guidance addressing cybersecurity-related issues, but they were unsure when it would be issued. Until DOL clarifies responsibilities for fiduciaries and provides minimum cybersecurity expectations, participants' data and assets will remain at risk."
In conclusion, the GAO states, "until DOL formally clarifies plan fiduciaries' responsibilities and provides minimum expectations related to cybersecurity, fiduciaries may not realize that they could be liable for losses they were obligated to prevent, such plans and their participants will continue to be vulnerable to financial losses and PII breaches. Such risks could lead to the erosion of confidence in our nation's private pension system."
From: ThinkAdvisor
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
Ginger Szala
Ginger Szala is executive managing editor of Investment Advisor magazine. She covered the financial business and alternatives industry for 30 years while editor of Futures Magazine Group. MSJ Northwestern, BA University of Wisconsin-Madison. She is based in Chicago. Go Blackhawks!
