A “cybersecurity event” at retirement and insurance platform service provider Infosys McCamish Systems LLC has been affecting recordkeepers and insurance providers around the country since early November, according to company statements and reports from customers and advisers.
On Thursday, T. Rowe Price, the Vanguard Group, Principal Financial Group and Ascensus noted that a breach at the platform provider, a subsidiary of Bangalore, India-based Infosys BPM Ltd., has affected systems. None of the firms are aware of any account holder data being exposed.
According to Ascensus and its Newport affiliate, the Infosys cybersecurity issue halted account value updates for its nonqualified retirement plan account holders. Company representatives said their systems were not impacted, and a customer service letter stated the firm had no evidence that plan data had been “exfiltrated or disclosed to the public.”
A document sent by Vanguard to its clients that sponsor nonqualified plans stated: “At this time, Newport [its nonqualified provider] does not have an estimated time for full service restoration.”
T. Rowe Price was notified by Infosys on November 2 of a “cybersecurity event affecting their nonqualified plan recordkeeping platform, which resulted in disruptions to T. Rowe Price’s services to nonqualified plan clients,” according to a spokesperson. No other recordkeeping systems were impacted.
“The vendor is investigating whether any data was subject to unauthorized access or exfiltration and will report to us if this occurred for any data of our clients and their participants,” the spokesperson wrote. “We have contingency measures in place to continue services to our nonqualified plan clients and their participants while the vendor’s systems are down.”
“Once we learned of the issue, our information security team launched our own investigation and has confirmed that T. Rowe Price systems were not compromised,” the spokesperson wrote. “Out of an abundance of caution, we also restricted technology connections between T. Rowe Price and the vendor.”
Retirement and Insurance Platforms
Infosys McCamish provides clients with retirement and insurance industry services. The vendor’s parent, Infosys BPM Ltd. released a statement November 3 that its U.S. subsidiary had been made aware of a “cybersecurity event resulting in non-availability of certain applications and systems in IMS.” The firm noted it is working with a “leading cybersecurity products provider” to resolve the issue.
Palo Alto Networks is the third-party cybersecurity expert, according to the Vanguard memo. The vendor, according to T. Rowe, also contacted state and federal regulators about the issue.
On Thursday, an Infosys BPM spokesperson said the firm had no further information beyond its November 3 statement.
Principal, an insurance provider, recordkeeper and asset manager, noted that the cybersecurity issue had affected its group universal life customers.
“We are aware Infosys McCamish Systems (McCamish) is the target of a cybersecurity event that has disrupted certain applications and systems used to service our group universal life customers,” a spokesperson wrote. “We are working closely with McCamish to understand the extent of the event while continuing to serve our customers as best we can. At this time, we do not have evidence that our data has been compromised.”
Vanguard sent a memo about the impact of the issue to its nonqualified plan sponsor clients. The communication noted that McCamish’s ongoing investigation “has not revealed evidence that data of your plan or participants was exfiltrated or disclosed to the public” and that “Newport has also confirmed that custody of client assets was not affected by this event. Vanguard’s cybersecurity experts have also not detected any unusual activity on Vanguard’s internal systems in connection with this issue.” In addition, since learning of the problem at McCamish, Newport “took proactive steps to protect clients, including disconnecting from and isolating the impacted McCamish Systems platform,” according to the Vanguard memo.
This type of cybersecurity breach is unique for the retirement space in that it does not appear to be targeting participant data for sale, says Jay Gepfert, founding partner of Culpepper RFP and managing partner of DOL Cybersecurity LLC.
“It’s the inability to do a transaction that is very unique,” Gepfert says. “I’ve certainly read about things in other industries where they lock up a system and are waiting for a ransom to take place, but I’ve not heard it in the retirement space.”
Gepfert notes that, if account holders are locked out of their accounts for a significant period of time, it begins to create legal liability for the company in terms of what damages claims those participants can make later.
“It’s a change in liability for everybody,” he says.
Gepfert notes that, because the issue is from a third-party vendor, there is not much a plan sponsor can do except “keep leaving messages and keep your fingers crossed.”