MOVEit Hack a Lesson as Digital Threats Increase
A recent data breach known as the MOVEit hack has affected more than 2,000 organizations and at least 60 million people, according to the latest tracking by KonBriefing. That list will likely keep growing.
Among those hit were millions of retirement plan participants, in large part due to a breach at Pension Benefit Information, a data vendor working with numerous large recordkeepers and state-run pension systems.
In short: The hackers got access to participant data via some of the largest and most respected institutions in the industry. Lawsuits are coming, targeting not just PBI, but the firms who used it as a vendor.
What, then, is a plan fiduciary to do?
Experts have a number of suggestions that, while they may not be able to stop future breaches, will help a fiduciary be covered should they occur. Suggestions often start with following the Department of Labor’s April 2021 guidance on cybersecurity for the retirement industry, but they also include baking in a regular system of assessment when procuring and working with vendors, participating in mock data breach exercise, and being ready for audits, should they occur.
Information for Sale
In many cybersecurity cases in recent years, hackers used a method known as ransomware, in which they locked up a company’s data and demanded a ransom to release it. More recently, hackers are going straight after personal data, such as the participant information available held with MOVEit, a file transfer software company owned by Progress Software Corp. Hackers then sell that information on the “dark web” in batches to criminals, says Marc Bleicher, chief technology officer at Surefire Cyber.
Bleicher says the data tends to have a “shelf life” of about three months as companies start notifying participants of the breach and providing identity theft solutions. A person’s Social Security number, he says, can “fetch $2 to $5” per account, and other personal identifiable information such as financial accounts or passport numbers can be as high as $1,000 per account.
“I would assume that any transactions for [the MOVEit data] would have gone pretty quickly,” Bleicher says. “Meaning that they would have put it on there, and somebody would have purchased it and done something with it rather quickly.”
That “something,” in the case of retirement participants, may have been calling or contacting savers and posing as their retirement service providers to get at funds. The fraudsters may use tactics such as saying there has been an address change at the firm and a payout needs to be sent to keep the account active, Bleicher says.
“The victim has no idea what’s going on,” Bleicher says. “I would imagine that probably was one of the objectives here [with the MOVEit breach].”
Bleicher also notes that, when it comes to retirement accounts, hackers would likely be targeting older participants not just because they may not be as tech savvy, but because in this case, they may be more likely to respond to a query about retirement needs.
“They’re kind of a low-hanging fruit for the attacker,” he says.
Overlooked
Despite the MOVEit hack hitting participant accounts, the situation will not necessarily change the current state of cybersecurity awareness in the retirement industry, says Joseph Lazzarotti, a principal in Jackson Lewis PC who works with ERISA clients on cyber issues.
He notes that there have been other massive breaches over the years, but cybersecurity can be hard for companies to keep up with, especially if they are midsize or small firms, along with the plan advisers who work with them.
“The vast majority of retirement plans from employees are in the middle of the market,” Lazzarotti notes. “Those [owners and managers] are wearing a lot of hats, and they don’t have the purse strings for cybersecurity.”
As retirement plan fiduciaries, companies are often more focused on plan investments, fees and day-to-day administration.
“That’s just their retirement plan hat, not to mention their health and welfare hat and their payroll hat and others,” he says. “It really is a challenge.”
Lazzarotti says many companies view their recordkeeper as the only vendor they have to focus on. They often assume, especially when it is a large firm, that “they know what they’re doing.” But the reality is that companies, and those advising them, need to probe and ask questions of those big vendors as well, both to assess the answers, but also to show they are watching cybersecurity.
The attorney notes that, while companies should loop their information technologies teams into the process, those IT staffs may not be experts in the latest types of cybersecurity threats. They may be best, he says, to help with approaching vendors, who can then show that they are aware and have specialists watching out for the security of participant data.
“If I’m a retirement plan sponsor of a mid-market company,” Lazzarotti says, “you can’t assess every vendor to the same extent. But you do go through a procurement process, and so you should make as part of the procurement process a question around what amount of risk the vendor presents and then base your assessment on their answers.”
Liability Can’t Be Outsourced
One of the biggest misconceptions among plan sponsors is that they are not responsible for cybersecurity breaches that occur at one of their vendors, says Mario Paez, national cyber risk leader at Marsh McLennan Agency LLC. He notes that 2021 Department of Labor guidance has gone a long way in combatting that misconception, but he still often gets the question when working with clients.
“There’s this thought [among clients] that: ‘Great, I may collect this data, but it’s routed to a third party for the processing and the storage—the safekeeping of that—so I’m outsourcing my liability, correct?’” Paez says. “The answer to that is: ‘No. No, you are still very much responsible.’”
Paez, however, notes that the expectation is not for plan sponsors to be immune from breaches. It is that they show, on a consistent basis, they are monitoring and assessing their vendors in terms of digital protection.
Service providers must also be keeping up with cybersecurity concerns and have an incentive beyond just avoiding a breach.
“As a service provider, to gain $10 million, $20 million or $50 million in cybersecurity insurance coverage, I better have my act together to demonstrate that I am insurable in order to conduct my business and be compliant with most contracts,” Paez says.
That means the cybersecurity relationship can go in the other direction. In some cases, service providers can offer to work with a plan adviser or sponsor on their own cybersecurity, Paez says. Particularly in the case of small plan sponsors, the providers might use it as a “marketing tool” in terms of offering them cybersecurity review and assistance.
All of this work, Paez says, is crucial for plan fiduciaries to be prepared in case of an audit so they can show due diligence.
“It’s not a set-it-and-forget-it approach,” he says. “It’s a continual journey that is about the maturation in the contracting by the plan sponsors and the various service providers in that corporate supply chain.”
Play It Out
Paez recommends one key exercise plan fiduciaries can do both internally and with vendors and providers: a mock simulation of a data breach.
“On the retirement side, [plan fiduciaries] should look through that scenario… and see what that process looks like,” he says.
This type of preparation is also crucial because, Paez says, if and when a breach does occur, lawsuits will likely follow in which decision making by the fiduciaries will be closely scrutinized. Even if employers have a great relationship with their employees, he notes, lawsuits will ensue if information or finances are stolen.
“If I’m an employee, I may look at my employer and say, ‘Well, why was this [service provider] selected?’ That’s where the plaintiffs’ bar can be very creative to turn over every stone to look for different pockets of funds,” Paez says.
The MOVEit breach has already brought a slew of lawsuits against some of the providers involved, including TIAA, Fidelity Investments and PPI. While those cases may be playing out for years, they may also serve as reminders to the industry, says Surefire Cyber CTO Bleicher.
“Moving forward, I think this is a great lesson,” he says. “I tell all my clients to treat any third-party service or product provider as an extension of your team and apply the same information and security standards that you would internally to assessing whether they’re the right vendor for you.”