A ransomware attack that has affected nonqualified compensation benefits accounts and some insurance platforms has been resolved, with account reactivation still at least one week away, according to a notice to providers obtained by PLANADVISER.
The cybersecurity event at Infosys McCamish Systems LLC that halted multiple national retirement and insurance provider platforms, starting on November 2, was the result of a ransomware attack, according to sources familiar with the issue and the note to providers. Infosys BPM Ltd., the Bangalore, India-based parent company of Infosys McCamish, has only called it a “cybersecurity event” and did not immediately respond to request for further comment on the fix.
“As we previously informed you, McCamish Systems, an Infosys subsidiary and a provider critical to our ability to process and update participant transactions, experienced a ransomware event on November 2,” stated a letter from nonqualified plan provider Newport, owned by Ascensus, to benefits clients on Tuesday. “IMS notified us that it has successfully restored and rebuilt its environment.”
Infosys on November 3 disclosed the cybersecurity event to the Securities and Exchange Commission as part of a Form 6-K filing.
On Thursday, T. Rowe Price, the Vanguard Group, Principal Financial Group and Ascensus noted that a breach at the platform provider had halted account use for nonqualified compensation plans and, in the case of Principal, universal life insurance accounts. None provided further comment on the fix.
Infosys had hired a third-party security expert, Palto Alto Networks Inc.’s Unit 42, to investigate the attack. Unit 42 confirmed that the systems have “been hardened” and that the security firm has not observed any “indication of ongoing unauthorized access or activity,” according to the letter.
Participants with nonqualified plans do not yet have access to their accounts, with an update to come the week of November 27. As of now, no participant data has been exposed, according to this and prior correspondence from the providers.
“As previously communicated, we are taking a number of actions to protect your data and ensure that participant accounts will reflect up-to-date, accurate values, including all transactions and activity,” Newport/Ascensus wrote to clients. “This will take some time and we anticipate having a more definitive update on the timing of full platform restoration for you by early next week.”
Asset Liability Concerns
Matt Maier, vice president of Lockton Companies LLC, has been working with clients affected by the attack by relaying information and guiding them on how to manage the shutdown.
The adviser confirmed that account holders of nonqualified benefits have likely missed any payments due to be paid since November 2. His greater concern, however, is the asset-liability management of the plans.
“These plans sit on the company books as a liability,” Maier says. “Companies choose to set aside assets to hedge that liability. If [a participant] makes a change on the account to move money from fund ‘A’ to fund ‘B’, at the end of close of business each day, the assets will be moved to match the transaction.”
With accounts unavailable, some recordkeepers will not have been making those consolidations, Maier notes.
“With the market increasing in the last 20 days or so, there is going to be a bifurcation of these assets and liabilities,” he says. “If they are hedged 100%, and now [once reactivated] they are hedged 90%, who is going to pay for that difference?”
Cybersecurity data science analyst Shalom Bublil, who estimates the cost of cybersecurity incidents for Israeli company Kovrr, says any damages will likely flow up to the vendor—in this case Infosys—which then may seek to recoup from its provider of cybersecurity insurance.
Bublil notes that a platform vendor working with multiple large providers is often a key target for hackers, who see it as targeting “fish in a barrel.”
“Technology relies on economies of scale,” he says. One vendor may be in an area that “sounds like a niche,” but you then have “just a few vendors that tend to aggregate most of the market.”
409A Paper Trail
The letter from Newport/Ascensus to benefits clients noted that the firm is “continuing to log all transactions submitted after market close on November 1” that will be processed once the system is back online. Until then, participants were encouraged to “submit transactions as normal.”
Nonqualified deferred compensation plans, known as 409A plans, require recordkeepers to file annual reports to the IRS noting account holders’ deferral elections, notes adviser Maier, who is also chair of the NQDC plan subcommittee for the Plan Sponsor Council of America.
The Infosys platform outage has resulted in multiple large recordkeepers starting to “talk about doing paper forms,” rather than digital versions, Maier says.
Compensation distribution payments, Maier says, should be able to be made within an acceptable time period, allowing for administrative errors. But the cost of carrying liabilities will remain an outstanding question to be monitored.
“If it’s a shortfall, there will be questions around why and how it gets remedied,” he says. “My biggest concern is those assets and liabilities: Where does that flesh out at? Are we going to see mismatches that weren’t there before? How do our clients get made whole if that’s the case?”
Overall, Maier said he hopes the breach will encourage those in the industry to pay more attention to cybersecurity concerns, similar to what has already happened in the broader 401(k) community.
“Hopefully this is kind of a wake-up call for the deferred comp industry,” Maier says.