Enough high-profile cyber incidents involving retirement plans have occurred that lawmakers have begun asking questions. The Comptroller General of the U.S. Government Accountability Office has been asked by members of Congress to examine the issue and answer 10 crucial questions to help guide lawmakers’ next move.
The officials say they are concerned about retirement plan data and assets, as well as the financial wellbeing of American workers and retirees. For recordkeepers, it’s yet another reason to take cyber fraud risks seriously and minimize your exposures. Here’s what to know.
Congress Sends Letter to the GAO
As an independent legislative agency, the U.S. Government Accountability Office (GAO) studies government spending and operations as well as consumer protection and social welfare issues, all areas impacted by the security of the retirement savings system for workers.
In February 2019, Congress first sent a letter to the GAO, asking it to study the cybersecurity of the private retirement system. Senator Patty Murray, D-Washington, Ranking Member of the Senate Health, Education, Labor and Pensions (HELP) Committee, and Congressman Bobby Scott, D-Virginia, Chairman of the House Committee on Education and Labor, addressed the letter to Gene Dodaro, Comptroller General of the GAO.
The letter noted that retirement plan savings have surpassed $5 trillion, making it a tempting target for cyber criminals. The lawmakers also told the GAO it was important for workers and retirees to know their savings are safe and that any cyber attacks that do occur do not have the potential to “throw the retirement they have spent years working and planning for into jeopardy.”
However, Murray and Scott raised questions about the current system, noting that safeguards, risks and liabilities for plan stewards and participants remain “ill-defined,” while a “patchwork of federal and state laws and regulations” do not address “a number of questions related to cybersecurity.”
Questions from Lawmakers on Retirement Cybersecurity
The lawmakers posed the following 10 questions for the GAO to answer in the course of its examination of the U.S. retirement savings system:
- What potential threats do cyberattacks pose to U.S. retirement plan data and ultimately to plan participants’ financial well-being?
- Given these threats, what are plan sponsors doing to ensure that, as plan fiduciaries, they are taking steps to protect plan data and plan participants? To what extent have plan sponsors and recordkeepers thoroughly assessed security and privacy risks and adopted appropriate measures to ensure that plan data, participants’ personal information and participants’ retirement savings are adequately safeguarded?
- What are plan service providers doing to ensure they are taking the necessary steps to protect plan data and plan participants from these threats? When a data breach does occur, what are the circumstances and the processes under which plan service providers disclose a breach to a plan sponsor?
- To what extent do federal laws and regulations require plan sponsors, recordkeepers and other retirement plan service providers to protect plan data and plan participants from these risks?
- In the event of a data breach, what steps should plan sponsors be required to take to protect plan participants?
- Do current ERISA bonding requirements sufficiently insure against these risks? Would requiring cybersecurity insurance in addition to existing ERISA bonding requirements mitigate some of these risks? If so, are these policies widely available? Are they cost prohibitive? If Congress were to contemplate such a requirement, what would a proper bond amount be and which parties should be required to be bonded?
- To the extent that cybersecurity insurance is not sufficiently available on the commercial market, should Congress consider establishing a federal cybersecurity insurer?
- To what extent do the National Cyber Strategy and relevant federal agencies’ policies prioritize working with the private sector to deter potential cyberattacks involving participants’ retirement savings?
- What are retirement plan sponsors, industry stakeholders and government regulators in other countries doing to prevent cyberattacks involving retirement savings, and what lessons, if any, should the U.S. take from them?
- What are possible legislative or regulatory options to bolster the protection of both the data and accounts of retirement savers?
Steps for Retirement Plan Recordkeepers
It’s clear from the questions lawmakers are asking that new rules and regulations may be on the way for recordkeeping professionals, but nothing is certain yet. Like many government projects, the GAO study of the retirement savings system will take time.
The study began in 2019 and is still ongoing. No report has been released addressing Senator Murray and Congressman Scott’s questions. However, recordkeepers don’t have to wait to take action.
There are steps you can take today to protect your plan assets and data, plan participants and fiduciary career from the risks posed by a cyber incident:
- Create an internal process to verify the identity of participants and authenticate their distribution requests.
- Establish instant automatic notification alerts through multiple channels for account changes and transaction requests.
- Set up an automated tool to monitor accounts for suspicious activity and require additional verification as needed.
- Develop a written policy addressing who is responsible for making participants whole after a loss and under what circumstances.
- Engage plan participants in the safety of their own accounts with an onboarding process, alerts setup and ongoing education.
- Make sure you have the right cyber liability insurance protection, covering fraudulent requests and loss of assets.
At Lockton Affinity Advisor, our Cyber Liability insurance coverage is tailored to meet the needs of recordkeepers like you. Even with the best security practices, a determined fraudster may one day get through your defenses, so our coverage protects you if they do.
Lockton Affinity Advisor coverage comes with ERISA 3(21) and 3(38) protection, so you are covered for fiduciary duties you perform. Coverage also comes with individual aggregate limits, so that you have access to your full policy limits. Plus, adding Cyber Liability to your E&O policy is quick and easy with Lockton Affinity.
Visit LocktonAffinityAdvisor.com or call (844) 406-5958 to learn more.