Infosys Ransomware Breach Resolving, but Accounts Still Down

A cybersecurity breach affecting thousands of nonqualified compensation accounts is being resolved, but participant accounts remain days away from updates and coming back online.

Human resource teams managing a cybersecurity breach that has hit national providers of nonqualified deferred compensation plans now have assurance that the affected systems have have been “successfully restored and rebuilt,” but they still do not have a date when participant accounts will come back online or will be updated, according to a notice to providers obtained by PLANSPONSOR.

The cybersecurity event at Infosys McCamish Systems LLC that halted multiple national retirement and insurance provider platforms, starting on November 2, was the result of a ransomware attack, according to sources familiar with the issue and the note to providers. Infosys BPM Ltd., the Bangalore, India-based parent company of Infosys McCamish, has only called it a “cybersecurity event” and did not immediately respond to request for further comment on the fix.

“As we previously informed you, McCamish Systems, an Infosys subsidiary and a provider critical to our ability to process and update participant transactions, experienced a ransomware event on November 2,” stated a letter from nonqualified plan provider Newport, owned by Ascensus, to benefits clients on Tuesday. “IMS notified us that it has successfully restored and rebuilt its environment.”

Infosys on November 3 disclosed the cybersecurity event to the Securities and Exchange Commission as part of a Form 6-K filing.

T. Rowe Price, the Vanguard Group and Ascensus on November 16 noted that a breach at the platform provider had halted account use for nonqualified compensation plans and, in the case of Principal Financial Group, group universal life insurance accounts. None provided further comment on the fix.

Never miss a story — sign up for PLANSPONSOR newsletters to keep up on the latest retirement plan benefits news.

Infosys had hired a third-party security expert, Palto Alto Networks Inc.’s Unit 42, to investigate the attack. Unit 42 confirmed that the systems have “been hardened” and that the security firm has not observed any “indication of ongoing unauthorized access or activity,” according to the letter.

 Participants with nonqualified plans do not yet have access to their accounts, with an update to come the week of November 27. As of now, no participant data has been exposed, according to this and prior correspondence from the providers.

“As previously communicated, we are taking a number of actions to protect your data and ensure that participant accounts will reflect up-to-date, accurate values, including all transactions and activity,” Newport/Ascensus wrote to clients. “This will take some time and we anticipate having a more definitive update on the timing of full platform restoration for you by early next week.”

Asset Liability Concerns

Matt Maier, vice president of Lockton Companies LLC, has been working with clients affected by the attack by relaying information and guiding them on how to manage the shutdown.

The adviser confirmed that account holders of nonqualified benefits have likely missed any payments due to be paid since November 2. His greater concern, however, is the asset-liability management of the plans.

“These plans sit on the company books as a liability,” Maier says. “Companies choose to set aside assets to hedge that liability. If [a participant] makes a change on the account to move money from fund ‘A’ to fund ‘B’, at the end of close of business each day, the assets will be moved to match the transaction.”

With accounts unavailable, some recordkeepers will not have been making those consolidations, Maier notes.

“With the market increasing in the last 20 days or so, there is going to be a bifurcation of these assets and liabilities,” he says. “If they are hedged 100%, and now [once reactivated] they are hedged 90%, who is going to pay for that difference?”

Cybersecurity data science analyst Shalom Bublil, who estimates the cost of cybersecurity incidents for Israeli company Kovrr, says any damages will likely flow up to the vendor—in this case Infosys—which then may seek to recoup from its provider of cybersecurity insurance.

Bublil notes that a platform vendor working with multiple large providers is often a key target for hackers, who see it as targeting “fish in a barrel.”

“Technology relies on economies of scale,” he says. One vendor may be in an area that “sounds like a niche,” but you then have “just a few vendors that tend to aggregate most of the market.”

409A Paper Trail

The letter from Newport/Ascensus to benefits clients noted that the firm is “continuing to log all transactions submitted after market close on November 1” that will be processed once the system is back online. Until then, participants were encouraged to “submit transactions as normal.”

Nonqualified deferred compensation plans, commonly known as 409A plans, require deferral elections to be collected annually. This process is often completed online through recordkeepers, notes adviser Maier, who is also chair of the NQDC plan subcommittee for the Plan Sponsor Council of America.

The Infosys platform outage has resulted in multiple large recordkeepers starting to “talk about doing paper forms,” rather than digital versions, Maier says.

Compensation distribution payments, Maier says, should be able to be made within an acceptable time period, allowing for administrative errors. But the cost of carrying liabilities will remain an outstanding question to be monitored.

“If it’s a shortfall, there will be questions around why and how it gets remedied,” he says. “My biggest concern is those assets and liabilities: Where does that flesh out at? Are we going to see mismatches that weren’t there before? How do our clients get made whole if that’s the case?”

Overall, Maier said he hopes the breach will encourage those in the industry to pay more attention to cybersecurity concerns, similar to what has already happened in the broader 401(k) community.

“Hopefully this is kind of a wake-up call for the deferred comp industry,” Maier says.


DOL Sues Shuttered Law Firm Over Participant’s Assets

The McCullough, Campbell & Lane LLP retirement savings plan owes an average of more than $200,000 to 25 participants.  

The Department of Labor sued the retirement plan of defunct law firm McCullough, Campbell & Lane LLP and four of the firm’s capital partners on November 20 for allegedly failing to terminate the company retirement plan, which holds $5.4 million in assets.

In 2019, the four capital partners—Paul S. Turner, John W. McCullough, Dennis Nelson and David L Joslyn—entered into a partnership resolution to terminate the plan and appointed Turner as plan administrator with authority to terminate the plan, the complaint alleges.

For more stories like this, sign up for the PLANSPONSOR NEWSDash daily newsletter.

The DOL, in the name of Acting Secretary of Labor Julie Su, sued the Chicago-based law firm in U.S. District Court for the Northern District of Illinois’ Eastern Division, claiming two breaches of fiduciary duty to participants. In Su v. Turner et al., Turner faces one allegation for failing to follow governing documents of the plan regarding properly terminating the plan and distributing plan assets, and the remaining capital partners face another allegation, for their failure to monitor Turner’s termination of the plan and distribution of its assets.

The complaint alleges that Turner, on October 31, 2019, signed a Transamerica Retirement Solutions LLC signature authorization form, permitting Turner to approve changes to plan level services and participant requests, which included but was not limited to approving participant transaction requests, plan level fund changes, plan design changes and changes to administrative services.

“Since 2019, Defendant Turner has failed to administer the Plan and its assets,” the complaint states. “By Defendant Turner failing to administer the Plan, participants of the Plan have not been able to obtain distributions from the Plan of their individual account balances.”

According to Transamerica’s basic plan document, if the employer ceases to operate or exist, the plan was to terminate in accordance with the Internal Revenue Code and the Employee Retirement Income Security Act. Transamerica Retirement Solutions LLC is the plan’s asset custodian and recordkeeper. Distributions were to have started, at the latest, within 60 days of the plan year in which employment was severed.

Although McCullough, Campbell & Lane ceased to operate by September 2019, another firm is currently operating as an active business under the law firm name McCullough PC, according to information on McCullough PC’s website.

“McCullough P.C. is a successor entity to the law firm of McCullough, Campbell & Lane LLP, which was formed in 1987,” the firm’s website states.

Representatives for McCullough, Campbell & Lane LLP did not respond to a request for comment.

 

«