Practice Management October 1, 2023

MOVEit Hack a Lesson as Digital Threats Increase

Experts say the incident revealed how to combat the stealing and selling of personal data, but participants remain vulnerable to the next hit.

Reported by

Alex Ortolani

Art by Karlotta Freier

A recent data breach known as the MOVEit hack has affected more than 2,000 organizations and at least 60 million people, according to the latest tracking by KonBriefing. That list will likely keep growing.

Among those hit were millions of retirement plan participants, in large part due to a breach at Pension Benefit Information, a data vendor working with numerous large recordkeepers and state-run pension systems.

For more stories like this, sign up for the PLANADVISERdash daily newsletter. 

In short: The hackers got access to participant data via some of the largest and most respected institutions in the industry. Lawsuits are coming, targeting not just PBI, but the firms who used it as a vendor.

What, then, is a plan fiduciary to do?

Experts have a number of suggestions that, while they may not be able to stop future breaches, will help a fiduciary be covered should they occur. Suggestions often start with following the Department of Labor’s April 2021 guidance on cybersecurity for the retirement industry, but they also include baking in a regular system of assessment when procuring and working with vendors, participating in mock data breach exercise, and being ready for audits, should they occur.

Information for Sale

In many cybersecurity cases in recent years, hackers used a method known as ransomware, in which they locked up a company’s data and demanded a ransom to release it. More recently, hackers are going straight after personal data, such as the participant information available held with MOVEit, a file transfer software company owned by Progress Software Corp. Hackers then sell that information on the “dark web” in batches to criminals, says Marc Bleicher, chief technology officer at Surefire Cyber.

Bleicher says the data tends to have a “shelf life” of about three months as companies start notifying participants of the breach and providing identity theft solutions. A person’s Social Security number, he says, can “fetch $2 to $5” per account, and other personal identifiable information such as financial accounts or passport numbers can be as high as $1,000 per account.

“I would assume that any transactions for [the MOVEit data] would have gone pretty quickly,” Bleicher says. “Meaning that they would have put it on there, and somebody would have purchased it and done something with it rather quickly.”

That “something,” in the case of retirement participants, may have been calling or contacting savers and posing as their retirement service providers to get at funds. The fraudsters may use tactics such as saying there has been an address change at the firm and a payout needs to be sent to keep the account active, Bleicher says.

“The victim has no idea what’s going on,” Bleicher says. “I would imagine that probably was one of the objectives here [with the MOVEit breach].”

Bleicher also notes that, when it comes to retirement accounts, hackers would likely be targeting older participants not just because they may not be as tech savvy, but because in this case, they may be more likely to respond to a query about retirement needs.

“They’re kind of a low-hanging fruit for the attacker,” he says.

Overlooked

Despite the MOVEit hack hitting participant accounts, the situation will not necessarily change the current state of cybersecurity awareness in the retirement industry, says Joseph Lazzarotti, a principal in Jackson Lewis PC who works with ERISA clients on cyber issues.

He notes that there have been other massive breaches over the years, but cybersecurity can be hard for companies to keep up with, especially if they are midsize or small firms, along with the plan advisers who work with them.

“The vast majority of retirement plans from employees are in the middle of the market,” Lazzarotti notes. “Those [owners and managers] are wearing a lot of hats, and they don’t have the purse strings for cybersecurity.”

As retirement plan fiduciaries, companies are often more focused on plan investments, fees and day-to-day administration.

“That’s just their retirement plan hat, not to mention their health and welfare hat and their payroll hat and others,” he says. “It really is a challenge.”

Lazzarotti says many companies view their recordkeeper as the only vendor they have to focus on. They often assume, especially when it is a large firm, that “they know what they’re doing.” But the reality is that companies, and those advising them, need to probe and ask questions of those big vendors as well, both to assess the answers, but also to show they are watching cybersecurity.

The attorney notes that, while companies should loop their information technologies teams into the process, those IT staffs may not be experts in the latest types of cybersecurity threats. They may be best, he says, to help with approaching vendors, who can then show that they are aware and have specialists watching out for the security of participant data.

“If I’m a retirement plan sponsor of a mid-market company,” Lazzarotti says, “you can’t assess every vendor to the same extent. But you do go through a procurement process, and so you should make as part of the procurement process a question around what amount of risk the vendor presents and then base your assessment on their answers.”

Liability Can’t Be Outsourced

One of the biggest misconceptions among plan sponsors is that they are not responsible for cybersecurity breaches that occur at one of their vendors, says Mario Paez, national cyber risk leader at Marsh McLennan Agency LLC. He notes that 2021 Department of Labor guidance has gone a long way in combatting that misconception, but he still often gets the question when working with clients.

“There’s this thought [among clients] that: ‘Great, I may collect this data, but it’s routed to a third party for the processing and the storage—the safekeeping of that—so I’m outsourcing my liability, correct?’” Paez says. “The answer to that is: ‘No. No, you are still very much responsible.’”

Paez, however, notes that the expectation is not for plan sponsors to be immune from breaches. It is that they show, on a consistent basis, they are monitoring and assessing their vendors in terms of digital protection.

Service providers must also be keeping up with cybersecurity concerns and have an incentive beyond just avoiding a breach.

“As a service provider, to gain $10 million, $20 million or $50 million in cybersecurity insurance coverage, I better have my act together to demonstrate that I am insurable in order to conduct my business and be compliant with most contracts,” Paez says.

That means the cybersecurity relationship can go in the other direction. In some cases, service providers can offer to work with a plan adviser or sponsor on their own cybersecurity, Paez says. Particularly in the case of small plan sponsors, the providers might use it as a “marketing tool” in terms of offering them cybersecurity review and assistance.

All of this work, Paez says, is crucial for plan fiduciaries to be prepared in case of an audit so they can show due diligence.

“It’s not a set-it-and-forget-it approach,” he says. “It’s a continual journey that is about the maturation in the contracting by the plan sponsors and the various service providers in that corporate supply chain.”

Play It Out

Paez recommends one key exercise plan fiduciaries can do both internally and with vendors and providers: a mock simulation of a data breach.

“On the retirement side, [plan fiduciaries] should look through that scenario… and see what that process looks like,” he says.

This type of preparation is also crucial because, Paez says, if and when a breach does occur, lawsuits will likely follow in which decision making by the fiduciaries will be closely scrutinized. Even if employers have a great relationship with their employees, he notes, lawsuits will ensue if information or finances are stolen.

“If I’m an employee, I may look at my employer and say, ‘Well, why was this [service provider] selected?’ That’s where the plaintiffs’ bar can be very creative to turn over every stone to look for different pockets of funds,” Paez says.

The MOVEit breach has already brought a slew of lawsuits against some of the providers involved, including TIAA, Fidelity Investments and PPI. While those cases may be playing out for years, they may also serve as reminders to the industry, says Surefire Cyber CTO Bleicher.

“Moving forward, I think this is a great lesson,” he says. “I tell all my clients to treat any third-party service or product provider as an extension of your team and apply the same information and security standards that you would internally to assessing whether they’re the right vendor for you.”

You Might Also Like:

Compliance

May 2nd, 2025

Plan to Cut Federal Employee Pensions Advances in House

The measure passed the House Oversight Committee, 22 to 21, with Representative Michael Turner, R-Ohio, joining Democrats in opposition, and...

The Markets

April 24th, 2025

Inflows Into TIAA Traditional Hit 5-Year High

Market uncertainty has shifted investors toward safer investments, the firm says.

Data & Research

April 15th, 2025

Financial Firm Investment in Gen AI Surges, Cybersecurity Remains Priority

A Broadridge survey found a leap in firms’ investment plans for generative AI technology.

Practice Management October 1, 2023

What Advisers Should Know About Cybersecurity Insurance

Experts provide insight into an insurance market predicted to grow from $6 billion to $33 billion in coming years.

Reported by

Natalie Lin

Art by Karlotta Freier

The need for retirement plan fiduciaries to carry cybersecurity insurance has grown in recent years, according to experts, as breaches and other digital incidents have increased dramatically since 2019.

In 2019, the cybersecurity insurance market was estimated to be worth $6 billion. By 2027 and beyond, the market is predicted to grow to $33 billion, according to Jay Gepfert, founding partner of Culpepper RFP and managing partner of DOL Cybersecurity LLC.

Never miss a story — sign up for PLANADVISER newsletters to keep up on the latest retirement plan adviser news. 

“Since 2019, the number of bad actors and the number of breaches and the size of those breaches have grown almost every single day,” Gepfert says. “It seems that there’s a major breach literally every single day now.”

Advisers working with plan sponsors should be aware of and considering cybersecurity insurance, if they do not have it already, Gepfert says. In the meantime, they should consider cybersecurity for their own practice and how they can assure plan sponsors they are practicing what they preach.

The State of Cybersecurity Insurance

James Cole, principal at Groom Law Group, agrees with Gepfert and says the dangers clearly impact the retirement plan industry.

“Over the last couple of years, there have been cases involving data breaches for benefit plans and benefit plan advisers, which should highlight the importance to plan sponsors and plan service providers that this is an exceedingly important area to pay attention to.”

The cost of cybersecurity insurance itself has also gone up dramatically, says Gepfert, with the rate rising at more than 20% per year in recent years. This year’s rate is now at a 10% to 15% increase from 2022.

“The manic increases in pricing and the rapidly ever-evolving underwriting questions seem to have, to some extent, levelled,” adds Cole. “But this is such a rapidly developing area, and the potential for claims is such that I would expect to see increased activity in both premium movement and underwriting requirements over the coming years.”

Gepfert, who owns two companies—DOL Cybersecurity, which assists plan sponsors in completing DOL cybersecurity assessment, and Culpeper RFP, which offers RFP evaluations for service providers—says cybersecurity plays a larger role for clients now—about 10 to 15% of their evaluation—than two years ago, when it was probably 5%.

Gepfert says plan advisers themselves are also seeing increased scrutiny from clients on advisers’ internal cybersecurity practices. He notes that plan sponsors are asking questions like, “Have you had any data breaches? What’s your employee training for cybersecurity? What’s your level of cybersecurity insurance?”

“Those are all questions that, three years ago, two years ago, probably very few are being asked,” he says. “Now it is a major piece when they’re being evaluated by plan sponsors.”

Advisers ‘Don’t Have … to be Experts’

Despite the increased focus on cybersecurity, Gepfert says plan advisers do not have to try to be experts in the field.

“I would go a different direction. The Department of Labor came out in 2021, and they published cyber guidelines for plan sponsors that are what they need to be doing either for their own company or for their service providers,” he says. “If you’re an adviser—and this is one of the questions I asked in my RFPs: ‘What are you advising your plan sponsors relative to the 2021 DOL guidelines?’—I think that’s the area where they can help them improve their cyber practices.”

Ali Khawar, the principal deputy assistant secretary for the DOL’s Employee Benefits Security Administration, also recognizes that, not all plan sponsors are going to have familiarity with cybersecurity issues.

“There’s not a provision of ERISA that I’m about to tell you that says, ‘You have to have your cybersecurity certification in order to sponsor.’ That is just not the case,” Khawar says. “But these are important obligations. … That set of best practices [addressing plan sponsors] is really aimed at helping them understand what the questions are that they can ask to give themselves some assurance that the service provider, the custodian or whatever institution that they’re working with is doing what they need to be doing.”

Groom’s Cole notes that the ERISA Advisory Council released reports regarding cybersecurity and employee and health benefits in 2022. The group, which advises the DOL, has been clear that fiduciaries must be very mindful of the protections, security and privacy of their data. Those fiduciaries need to pay attention not only to their own internal workings, but also to their service providers and how they are treating that data.

“I think that more and more retirement plans will likely seek cyber insurance, as most of them would be well served to consider [it],” says Cole. “I think that the desire to have more complete coverage for the insured and their demands on the insurers will result in more discussion over coverage language and more specificity as to what exactly is covered and what is not.”

These discussions may involve legally technical and scientifically technical issues, he says, which will require advisers to be more vigilant. Additionally, he foresees plan sponsors needing more protection from litigation risk.

“How will it come? Will it be ransomware? Will it be because participants have bad cyber hygiene? I think those are the areas of exposure that will lead to those questions,” says Cole. “I think that [advisers] should be aware of the increased demands or contractual arrangements with their clients. I think they should be aware of their cyber hygiene and their own protections from coverage through their cyber policy, as well as other policies that might apply.”