Westend61 | Westend61 | Getty Images
The Labor Department should do more to protect 401(k) investors from cyber attacks, at a time when their sensitive personal information is increasingly being shared over the internet, a federal watchdog said Monday.
A web of firms that oversee 401(k) and other similar workplace retirement plans hold data on Social Security numbers, birthdates, addresses, usernames and passwords.
A cyber attack at any point in the chain may lead to “enormous losses” of data and retirement savings, which may ultimately lead to identity theft or “severe financial and other ramifications,” the Government Accountability Office said in a report.
However, the Labor Department, which regulates the U.S. retirement system, hasn’t kept pace, the watchdog said.
Businesses that offer 401(k) plans are fiduciaries, which means they must act in the best interests of employees when overseeing investments and other aspects of the plan.
But the Labor Department hasn’t clarified whether reducing cyber risk is a fiduciary duty, the GAO said. The agency also hasn’t issued minimum expectations for the protection of personal data, and investors can’t be assured it’s being adequately protected, the GAO said.
The watchdog recommended that the agency take both these steps.
The Labor Department didn’t immediately respond to a request for comment.
The popular 401(k) and similar workplace retirement plans hold almost $9 trillion in assets, according to the Investment Company Institute.
It’s unclear how much in 401(k) savings has been lost to cyber attacks, the GAO said. But recent legal claims offer a hint as to how much individual investors stand to lose.
For example, one person alleged in a lawsuit that, between December 2018 and January 2019, a criminal stole $245,000 from an unauthorized distribution of their retirement account after obtaining personally identifiable information, the GAO said.
The Labor Department is working on public-facing guidance for fiduciaries and service providers on securing their technology systems, but the timing and contents of the guidance are uncertain, according to the GAO report.