GAO Addresses Cybersecurity in Defined Contribution Plans

The U.S. Government Accountability Office (GAO) issued a report[1] on cybersecurity risks facing defined contribution retirement (DC) plans that included a recommendation on federal guidance that could help mitigate these risks.

Congress asked GAO to review the cybersecurity risks associated with the data management related to managing defined contribution retirement plans. DC retirement plan management relies on the internet and IT systems for the transfer of large amounts of personally identifiable information (PII) between plan sponsors and plan administrators. PII that is routinely transferred includes names, social security numbers, dates of birth, addresses, usernames, passwords, and in some cases bank account information. GAO sought to review the cybersecurity risks associated with this transfer of data as well as the efforts that exist to assist plan sponsors to mitigate this risk.

The report details existing federal and industry mitigation efforts that currently exist related to retirement plan PII. However, the report notes that there is no federal guidance for mitigating cybersecurity risks. As a result, GAO made two recommendations:

  • The Department of Labor (DOL) should formally state whether cybersecurity is a plan fiduciary responsibility under ERISA
  • The DOL should develop guidance on minimum expectations for all entities involved in administering defined contribution plans to mitigate cybersecurity risks

The DOL reviewed the report and did not agree or disagree with the first recommendation. It indicated that under ERISA, plan fiduciaries have a duty to act prudently and in the best interest of plan participants and this would include mitigating risks of malfeasance in their plans. The DOL also pointed to existing regulations relating to electronic records and disclosures that help ensure systems are safe and PII is protected. While GAO acknowledged these items help mitigate the risk, it still believes a formal statement would ensure fiduciaries understand their duty as it relates to cybersecurity relating to their plan.

On the second recommendation, the DOL is in the process of drafting compliance assistance that will increase awareness of its position on cybersecurity risk mitigation and that fiduciaries are satisfying ERISA obligations when selecting and monitoring service providers. GAO recommended that this compliance assistance include minimum expectations for mitigating cybersecurity risks for all parties involved in administering retirement plans.


Multnomah Group is a registered investment adviser, registered with the Securities and Exchange Commission. Any information contained herein or on Multnomah Group’s website is provided for educational purposes only and does not intend to make an offer or solicitation for the sale or purchase of any specific securities, investments, or investment strategies. Investments involve risk and, unless otherwise stated, are not guaranteed. Multnomah Group does not provide legal or tax advice.

Comment On This Article