Scott, Murray, Hassan Release GAO Report on Retirement Cybersecurity Which Recommends Department of Labor Issue Guidance

WASHINGTON – Today, Congressman Robert C. “Bobby” Scott (VA-03), Chair of the House Education and Labor Committee, Senator Patty Murray (D-WA), Chair of the Senate Health, Education, Labor, and Pensions (HELP) Committee and Senator Maggie Hassan (D-NH) released a report from the Government Accountability Office (GAOO) looking at the risk cybersecurity threats pose to retirement plans that serve over 100 million people. GAO conducted its investigation in response to an inquiry the Members sent in 2019

“The hard-earned retirement savings of Americans must remain safe and protected against potential cyberattacks. That’s why Senator Murray, Senator Hassan, and I asked GAO to conduct this critical review.  GAO’s highly anticipated report provides useful information on the threats and vulnerabilities confronting retirement savings plans and includes recommendations to the Labor Department for action. I look forward to working with my colleagues and the Biden administration on addressing GAO’s recommendations and safeguarding workers’ retirement savings,” said Chairman Scott.

“It’s clear that in too many ways, the policies we have to protect families as they plan for the future are stuck in the past. This report confirms cybersecurity and retirement security go hand in hand, and it’s time we make sure we have policies that reflect that reality. I’ll be working with my colleagues, and with the Biden Administration to follow through on the findings in this report so we can make sure workers and retirees know their savings are in fact safe, and that a cyberattack will not throw their retirement into jeopardy,” said Senator Murray.

“Americans who plan and save for retirement should be able to count on the security of their savings, but a cyberattack can put that all in jeopardy in the blink of an eye,” said Senator Hassan. “This GAO report makes clear just how important it is to strengthen cybersecurity for retirement plans. I look forward to working with my colleagues on both sides of the aisle to follow through on the report’s recommendations by modernizing cybersecurity requirements for those who administer retirement plans.” 

The report looked at the exchange of people’s personal and financial information during the administration of retirement plans and the cybersecurity risks associated with this. It also examined federal and industry efforts to mitigate cybersecurity. The report recommends the Department of Labor should make clear whether fiduciaries are responsible for cybersecurity, and issue guidance on minimum expectations for mitigating cybersecurity risks. 

“Private sector employer-sponsored DC retirement plans are a crucial component of retirement security for millions of Americans. In many cases, they may hold a participant’s life savings. A single cyber attack at any point in the complex web of entities working together to administer a retirement plan could cause enormous losses of both PII and plan assets, which could lead to identity theft or severe financial and other ramifications for plan participants. Accordingly, it has become imperative that industry and government prevention and mitigation efforts evolve to keep pace with these threats,” wrote GAO in the conclusion of the report.

“While federal and private sector industry partners have efforts to help mitigate cybersecurity risks, many of these efforts do not directly apply to several of the various entities that administer DC plans. As a result, plan fiduciaries and their service providers rely on a patchwork of federal regulations, guidance, and industry leading practices to help them mitigate cybersecurity risk in DC plans. If DOL is to have reasonable assurance that plans have effective cybersecurity measures in place, it must be sure that plan fiduciaries understand their responsibilities in protecting PII and plan assets. Until DOL formally clarifies plan fiduciaries’ responsibilities and provides minimum expectations related to cybersecurity, fiduciaries may not realize that they could be liable for losses they were obligated to prevent and plans, and their participants will continue to be vulnerable to financial losses and PII breaches. Such risks could lead to the erosion of confidence in our nation’s private pension system.” 

Read the full GAO report here


Press Contact

Democratic Press Office, 202-226-0853