A “cybersecurity event” at retirement and insurance platform service provider Infosys McCamish Systems has been affecting recordkeepers and insurance providers around the country since early November, according to company statements and reports from customers and advisers.
On Thursday, T. Rowe Price and Principal Financial Group noted that a breach at the platform provider, a subsidiary of Bangalore, India-based Infosys BPM Ltd., has affected systems. Neither firm is aware of any account holder data being exposed.
T. Rowe Price was notified by Infosys on November 2 of a “cybersecurity event affecting their nonqualified plan recordkeeping platform, which resulted in disruptions to T. Rowe Price’s services to nonqualified plan clients,” according to a spokesperson. No other recordkeeping systems were impacted.
“The vendor is investigating whether any data was subject to unauthorized access or exfiltration and will report to us if this occurred for any data of our clients and their participants,” the spokesperson wrote. “We have contingency measures in place to continue services to our nonqualified plan clients and their participants while the vendor’s systems are down.”
Principal, an insurance provider, recordkeeper, and asset manager, noted that the cybersecurity issue had affected its group universal life customers.
“We are aware Infosys McCamish Systems (McCamish) is the target of a cybersecurity event that has disrupted certain applications and systems used to service our group universal life customers,” a spokesperson wrote. “We are working closely with McCamish to understand the extent of the event while continuing to serve our customers as best we can. At this time, we do not have evidence that our data has been compromised.”
On Wednesday, Ascensus and its Newport affiliate said the Infosys cybersecurity issue had halted account value updates for its nonqualified retirement plan account holders. The companies said their systems were not impacted, and a customer service letter stated that the firm had no evidence that plan data had been “exfiltrated or disclosed to the public.”
The vendor’s parent, Infosys BPM Ltd. released a statement November 3 that its U.S. subsidiary had been made aware of a “cybersecurity event resulting in non-availability of certain applications and systems in IMS.” The firm noted it is working with a “leading cybersecurity products provider” to resolve the issue. The vendor, according to T. Rowe, also contacted state and federal regulators about the issue.
“Once we learned of the issue, our information security team launched our own investigation and has confirmed that T. Rowe Price systems were not compromised,” the spokesperson wrote. “Out of an abundance of caution, we also restricted technology connections between T. Rowe Price and the vendor.”
Infosys McCamish provides clients with retirement and insurance industry services. On Thursday, a spokesperson said Infosys BPM had no further information beyond its November 3 statement.
This type of cybersecurity breach is unique for the retirement space in that it doesn’t appear to be going after participant data for sale, says Jay Gepfert, founding partner of Culpepper RFP and managing partner of DOL Cybersecurity LLC.
“It’s the inability to do a transaction that is very unique,” Gepfert says. “I’ve certainly read about things in other industries where they lock up a system and are waiting for a ransom to take place, but I’ve not heard it in the retirement space.”
Gepfert notes that, if account holders are locked out of their accounts for a significant period of time, it begins to create legal liability for the company in terms of what damages claims those participants can make later.
“It’s a change in liability for everybody,” he says.
Gepfert notes that, because the issue is from a third-party vendor, there’s not much a plan sponsor can do, but “keep leaving messages and keep your fingers crossed.”
