Skip to main content

You are here

Advertisement

Policymakers Set Sights on Cybersecurity Threats to Retirement System

Government Affairs

Two key members of Congress are interested in learning more about potential threats cyberattacks pose to the U.S. retirement system and what industry stakeholders are doing to address them.

In a Feb. 12 letter to the U.S. Government Accountability Office (GAO), Sen. Patty Murray (D-WA), ranking member of the Senate Health, Education, Labor and Pensions (HELP) Committee, and Rep. Bobby Scott (D-VA), Chairman of the House Committee on Education & Labor, asked the GAO to examine these issues with an eye towards recommending potential policy solutions.  

“It is important that workers and retirees know their savings are in fact safe, and that a cyberattack will not throw the retirement they have spent years working and planning for into jeopardy,” Murray and Scott write. 

The members observe that, under current law, retirement plan fiduciaries are responsible for designing and administering plans in the best interests of plan participants, but note that existing law does not address a number of questions related to cybersecurity issues. In addition, they note that retirement plans fall within a regulatory patchwork of federal and state laws. 

Given the apparent risk, Murray and Scott ask the GAO to address several questions that appear to fall within 10 subtopics, such as: 

  • What are plan sponsors and service providers doing to ensure that they are taking the necessary steps to protect plan data and plan participants from these threats?
  • In the event of a data breach, what steps should plan sponsors be required to take to protect plan participations, and similarly, what are the circumstances and processes under which plan service providers disclose a breach to a plan sponsor?
  • Do current ERISA bonding requirements sufficiently insure against these risks, and would requiring cybersecurity insurance in addition to existing ERISA bonding requirements mitigate some of these risks?
  • To the extent cybersecurity insurance is not sufficiently available on the commercial market, should Congress consider establishing a federal cybersecurity insurer? 
  • What are other countries doing to prevent cyberattacks involving retirement savings? 
  • What are possible legislative and regulatory options?

Growing Awareness 

While there apparently is no comprehensive cybersecurity protocol for retirement plan administration at the federal level, the issue of cyberattacks is garnering increasing attention within the industry. 

A newly released cybersecurity risk report by Aon – “What’s Now and What’s Next” – details the greatest cybersecurity threats and challenges organizations may face in 2019. The risks illustrate how, as organizations transition to a digital-first approach across all transactions, the number of touch points that cybercriminals can access within a business is growing exponentially and sometimes in unexpected ways, the report warns. 

To help plan sponsors insure their employees’ data is protected within their retirement plan, the SPARK Institute in Sept. 2017 announced new industry best practices for how recordkeepers should report their cybersecurity capabilities to plan sponsors and plan consultants. 

And a separate industry-led project announced last year by the Financial Services Information Sharing and Analysis Center (FS-ISAC) – dubbed Sheltered Harbor – seeks to expand a cyberattack backup program to 401(k) accounts and pension funds to provide an extra layer of protection in the event of a cyberattack. 

Additionally, the SPARK Institute and FS-ISAC created the Retirement Industry Council (RIC) to provide similar information sharing and threat intelligence in the retirement industry.