It’s Been 23 Years
On March 14, 1998, I started writing here and, aside from a month or two here and there, never stopped. Things just kinda got out of hand, I guess. *shrug* I keep thinking that at some point, someone is going to inform me that vaudeville is over and yank me off stage with a hook, but until then you’re stuck with me. Thanks everyone for reading — I know from past emails that some of you have been following along since the beginning.
While I have you, two things:
1) After several months of inactivity, the Noticing newsletter has relaunched as a weekly recap of this here website — it’s got a new design too. You can subscribe here or read the latest issue with the new look.
2. The newsletter and kottke.org are completely free for everyone to read, thanks to financial support from readers like you. If you’d like to support this small corner of an increasingly paywalled web, please consider investing in a kottke.org membership. Thanks!
Federal Guidance Could Help Mitigate Cybersecurity Risks in 401(k) and Other Retirement Plans
Defined Contribution Plans: Federal Guidance Could Help Mitigate Cybersecurity Risks in 401(k) and Other Retirement Plans, GAO-21-25, Published: Feb 11, 2021. Publicly Released: Mar 15, 2021.
“In their role administering private sector employer-sponsored defined contribution (DC) retirement plans, such as 401(k) plans, plan sponsors and their service providers—record keepers, third party administrators, custodians, and payroll providers—share a variety of personally identifiable information (PII) and plan asset data among them to assist with carrying out their respective functions (see figure). The PII exchanged for DC plans typically include participant name, Social Security number, date of birth, address, username/password; plan asset data typically includes numbers for both retirement and bank accounts. The sharing and storing of this information can lead to significant cybersecurity risks for plan sponsors and their service providers, as well as plan participants. Data Sharing Among Plan Sponsors and Service Providers in Defined Contribution Plans – Federal requirements and industry guidance exist that could mitigate cybersecurity risks in DC plans, such as requirements that pertain to entities that directly engage in financial activities involving DC plans. However, not all entities involved in DC plans are considered to have such direct engagement, and other cybersecurity mitigation guidance is voluntary. Federal law nevertheless requires plan fiduciaries to act prudently when administering plans. However, the Department of Labor (DOL) has not clarified fiduciary responsibility for mitigating cybersecurity risks, even though 21 of 22 stakeholders GAO interviewed expressed the view that cybersecurity is a fiduciary duty. Further, DOL has not established minimum expectations for protecting PII and plan assets. DOL officials told GAO that the agency intends to issue guidance addressing cybersecurity-related issues, but they were unsure when it would be issued. Until DOL clarifies responsibilities for fiduciaries and provides minimum cybersecurity expectations, participants’ data and assets will remain at risk…”
Saturday’s good reading and listening for the weekend
What people in other forums are saying about public policy...
