Recordkeeping, Insurance Platforms Disrupted by Infosys Cybersecurity Breach

A “cybersecurity event” at retirement and insurance service provider Infosys McCamish Systems LLC has been affecting recordkeepers and insurance providers around the country since early November, according to company statements and reports from customers and advisers. 

T. Rowe Price, the Vanguard Group and Principal Financial Group Thursday noted that a breach at the platform provider, a subsidiary of Bangalore, India-based Infosys BPM Ltd., has affected their systems. None of the firms has said they are aware of any account holder data being exposed. 

A document sent by Vanguard to its clients that sponsor nonqualified plans indicated that the problem may last for some time. “At this time, Newport does not have an estimated time for full service restoration,” the document stated.

The issue came to light earlier this month. T. Rowe Price was notified by Infosys on November 2 of a “cybersecurity event affecting their nonqualified plan recordkeeping platform, which resulted in disruptions to T. Rowe Price’s services to nonqualified plan clients,” according to a spokesperson. No other recordkeeping systems were impacted.

“The vendor is investigating whether any data was subject to unauthorized access or exfiltration and will report to us if this occurred for any data of our clients and their participants,” the spokesperson wrote. “We have contingency measures in place to continue services to our nonqualified plan clients and their participants while the vendor’s systems are down.”  

Principal, an insurance provider, recordkeeper and asset manager, noted that the cybersecurity issue had affected its group universal life customers. 

“We are aware Infosys McCamish Systems (McCamish) is the target of a cybersecurity event that has disrupted certain applications and systems used to service our group universal life customers,” a spokesperson wrote. “We are working closely with McCamish to understand the extent of the event while continuing to serve our customers as best we can. At this time, we do not have evidence that our data has been compromised.” 

Vanguard sent a memo about the impact of the issue to its nonqualified plan sponsor clients. The document, obtained by PLANSPONSOR, labeled a “November 16, 2023 Update,” from Vanguard to its nonqualified plan sponsor clients, makes clear that the firm was affected through recordkeeper Newport Group.

The communication noted that McCamish’s ongoing investigation “has not revealed evidence that data of your plan or participants was exfiltrated or disclosed to the public” and that “Newport has also confirmed that custody of client assets was not affected by this event. Vanguard’s cybersecurity experts have also not detected any unusual activity on Vanguard’s internal systems in connection with this issue.” In addition, since learning of the problem at McCamish, Newport “took proactive steps to protect clients, including disconnecting from and isolating the impacted McCamish Systems platform,” according to the Vanguard memo.

Representatives for Ascensus and its Newport Group affiliate said Wednesday the Infosys cybersecurity issue had halted account value updates for its nonqualified retirement plan account holders. The spokespeople said their companies’ systems were not impacted, and a letter from customer service to a plan participant stated that the firm had no evidence that plan data had been “exfiltrated or disclosed to the public.” 

The vendor’s parent, Infosys BPM Ltd. released a statement November 3 that its U.S. subsidiary had been made aware of a “cybersecurity event resulting in non-availability of certain applications and systems in IMS.” The firm noted it is working with a “leading cybersecurity products provider” to resolve the issue. Palo Alto Networks is the third-party cybersecurity expert, according the the Vanguard memo. The vendor, according to T. Rowe, also contacted state and federal regulators about the issue.  

“Once we learned of the issue, our information security team launched our own investigation and has confirmed that T. Rowe Price systems were not compromised,” the spokesperson wrote. “Out of an abundance of caution, we also restricted technology connections between T. Rowe Price and the vendor.”  

This type of cybersecurity breach is unique for the retirement space in that it does not appear to be going after participant data for sale, says Jay Gepfert, founding partner of Culpepper RFP and managing partner of DOL Cybersecurity LLC. 

“It’s the inability to do a transaction that is very unique,” Gepfert says. “I’ve certainly read about things in other industries where they lock up a system and are waiting for a ransom to take place, but I’ve not heard it in the retirement space.” 

Gepfert notes that, if account holders are locked out of their accounts for a significant period of time, it begins to create legal liability for the company in terms of what damages claims those participants can make later. 

“It’s a change in liability for everybody,” he says.  

Vanguard’s memo offers this information about customer account values: “Once the system has been fully restored and confirmed to be safe, Newport will carefully review, update, and verify all transactions that have taken place during this period. Once complete, Vanguard’s platform will present updated account values from Newport on our web experience.”

Gepfert notes that, because the issue is from a third-party vendor, there’s not much a plan sponsor can do, but “keep leaving messages and keep your fingers crossed.”