Retirement plan providers and advisers should be taking a close look at vendor cybersecurity protocols after a software transfer hack exposed the private data of millions of people, including retirement plan participants, according to industry experts.
A hack of data transfer software firm Moveit, which is owned by Progress Software Corp., has hit nearly 20 million people and more than 378 firms, according to the most recent data from anti-malware company Emsisoft. At least 1 million consumers were exposed by participant locater services vendor Pension Benefit Information LLC, which works with numerous retirement plans.
A hack to PBI’s services led to data exposure to more than 350,000 participants with Fidelity Investments and more than 1 million combined between the California Public Employees’ Retirement System and the California State Teachers’ Retirement System, according to filings. The breach also reached nonprofit retirement provider TIAA via PBI, thus reaching colleges and universities across the country, according to alerts from those organizations.
While the breach does not necessarily mean fraud will take place, it is certainly a possibility in the months and even years to come, according to Brett Callow, a threat analyst with Emsisoft.
“Fraud happens all the time, and it’s not always easy to link it to any particular incident,” he says. “How this unfolds and if any connection can be made over the next months and years will be something to watch.”
For organizations hit by the data breach, they first need to patch their system to make sure it is secure, Callow says. The government’s Cybersecurity and Infrastructure Security Agency has been issuing regular software release updates related to the hack from Progress Software. PBI is also, according to filings, providing impacted consumers with free data protection services for a set period of time.
The real work, however, should be done at the front end to prevent future attacks, Callow notes, with organizations and their advisers doing as much as possible to vet vendor cybersecurity protocols when starting business. This can be a tall order in an ever-evolving world of cyber-threats.
“It runs deeper than [one vendor],” he says. “In some cases, organizations are impacted because their vendor is using a contractor who was using a subcontractor who was using Moveit.”
The SPARK Institute, a retirement member and advocacy group, has stated that upfront cybersecurity assessment for vendors is critical for both retirement plan advisers and plan sponsors.
“The real work should be done prior to contracting with a third-party vendor,” the institute stated in an email expressing the thoughts of various members focused on cybersecurity.
Advisers should also understand a vendor’s incident response plan and have a contract with a reputable independent cyber-forensic expert, the members noted. “A firm should not accept the word of just their vendor that their environment is clean without assurance from a third party,” SPARK Institute members wrote.
Members of the institute also noted that, after a breach occurs, firms should look at the severity of the incident and their own risk tolerance when it comes to continuing the relationship with the vendor.
In the event of a breach, “SPARK members will typically: 1) Assess the impact of the breach, 2) Communicate with their clients, 3) Review the vendor’s security measures, 4) Conduct a risk assessment to mitigate any further risks, and 5) Enhance monitoring and controls over the vendor.”
Beyond preparation, if and when a breach occurs, the best thing an adviser can do is be “transparent, empathetic, and proactive” with those impacted, SPARK committee members said.
“The most common steps in this process include: 1) Prompt communication, 2) Have all the necessary facts and details, 3) Know client-specific impact, 4) Share your firm’s response and mitigation plans, 5) Assure them of your firm’s availability for questions and concerns,” they wrote.
The Moveit breach saga looks to be continuing in the courts. Progress Software has been sued by those exposed in the breach in the U.S. District Court for the District of Massachusetts, according to court filings. Meanwhile, law firms are posting advertisements for people who have been notified by the exposure to participate in class action complaints.