The MOVEit data breach: A wake-up call for all retirement plan sponsors

California Public Employees Retirement System (CalPERS), Charles Schwab, and Fidelity Investments are just a few of the 600 organizations worldwide whose pension funds and benefits plan providers had their participants’ data security breached by a ransomware group in recent months. And we’re only talking about a single breach, that of Progress Software’s MOVEit file management and encryption transfer software. What followed the almost 4 million participants’ data affected have been class action lawsuits alleging failures to protect the data privacy of its plan participants, including against Johns Hopkins University & Health System, TIAA, TD Ameritrade, and CalPERS.

The U.S. recorded a 75% increase in ransomware events between the first half and second half of the past 12 months (July 2022-June 2023), according to Malwarebytes, Inc. These staggering exposures should act as an exclamation point on plan sponsors’ new post-digital transformation job description, which now must include cybersecurity. It’s not a job they asked for but given that any person involved in the management of an employee retirement or benefits plan can be held personally liable for a fiduciary breach under ERISA law, they must roll up their sleeves to work at the intersections of plan management and technology.

Interconnected third-party cybersecurity risk

Cyberattacks are rising, despite numerous cybersecurity solutions and zero-trust approaches in the market, taking advantage of an ever-widening attack surface from the proliferations of hybrid work, IoT, blockchain, generative AI tools, and, in this case, enterprise cloud adoption. The Progress Software’s MOVEit Transfer hack shines the spotlight on the complex vulnerabilities of today’s enterprise cloud/SaaS environments, in which 45% of data breaches occurred in 2022 and in which 60% of all corporate data was stored. Organizations of all sizes use a variety of software platforms to automate every business function from sales enablement and customer relationship management to HR and benefits plan administration. The resulting patchwork of interconnected internal and third-party software platforms has expanded the attack surface for cybercriminals while also creating a question of responsibility: Who is responsible when a breach ripples across the value chain/? As evidenced by the cascade of data security exposures from this single file transfer software platform and subsequent civil suits, plan and pension sponsors need to ensure the security posture of their organizations’ relevant software vendors is up to date and strong.

Fiduciaries’ playbook for data breach protection

Organizations should reinvent their cyber risk management logistics to align with the new normal. Plan and pension professionals can take a few fundamental steps that can protect their companies, their departments, and their participants from increasingly sophisticated bad actors.

1. Assess and reassess: Conduct an examination of your plan’s current cybersecurity sensitivities, resourced either internally or by a qualified third-party expert. A legally defensible risk assessment should adhere to independently developed criteria, and a review offers a way to ensure continued improvement. And critically, re-check cyber-vulnerabilities on an ongoing annual basis because cybercriminals are always innovating, and technology is evolving. And for some, regulators may mandate it.
2. Formal training and policy: Employee benefit plans of all sizes need a cybersecurity policy statement explicitly written to align with the Employee Benefits Security Administration’s (EBSA) guidance. In today’s fraught data security and compliance environment, official cyber policies have grown to the same importance as investment policy statements. Human error remains the number one reason for cybersecurity incidents. Policy should include the use of multi-factor authentication and mandatory staff training aligned with EBSA’s cybersecurity guidance to protect against phishing, social engineering, and password brute-force attacks.
3. Third-party solution provider policy and standards: Pension and benefit plan committees — or the CISO in larger companies — should implement strict cybersecurity guidelines for hiring, monitoring, and re-hiring tech vendors of retirement plan services, health care plans, payroll operations, and any other service provider that takes possession of personally identifiable information. And now, on the heels of the recently enacted new Securities and Exchange Commission cybersecurity reporting rules, public company CISOs now bear responsibility and liability for incident reporting.
4. Cyber breach response plan: This is the plan you hope to never have to deploy. Following an attack, aftershocks can ripple for decades if a company is not properly prepared. Planning prevents incidents from spiraling into disasters and is one of the best practices specifically recommended by EBSA. The incident response costs can be detrimental or catastrophic to the business’ bottom line, from intrusion-related restoration costs and legal and forensic service costs to compliance expenses related to notification laws, which vary state-to-state, requiring that the affected individuals be formally notified. The breach response plan will enable a plan sponsor to immediately engage legal counsel as well as to employ cyber insurance and covered services, assemble a cross functional team; and perform an analysis of root causes.

Plan sponsors must protect themselves too

Plan managers are doing well if they are communicating with their CISOs or IT managers in checking the data security assessments, response plans, policies, and training procedures – including for third-party cloud vendors and partners. They are doing better if they spearhead acquisition of stout cybersecurity liability insurance, which would defend the insured organization from covered allegations as well as pay settlements/judgments on behalf of the insured organization for allegations of “network security liability” or “breach of privacy liability”, or both. Although it’s not automatic, some cyber insurance policies will also specifically cover the insured organizations’ employee benefit plans, in addition to covering the insured organization and insured persons. Some plan sponsors may think if they outsource administration, oversight, or supervision of employee benefit plans, that they’re also outsourcing the liability. The liability exposure in that instance is the decision to utilize third party services.

Related: U.S. was the hardest hit region for ransomware attacks

A data breach exposing a pension or benefit plan participants’ financial, health, or personal identifiable data can originate from a security gap in a sponsor’s own HR department, another department within the same organization, from a third-party service provider’s security gap, or from a third-party provider’s own vendor like Progress Software’s MOVEit. Attorneys and consumers have become increasingly aware they can sue the companies or the plan sponsor individuals if data is compromised. Plan sponsors cannot afford to overlook the scrutiny of insurance requirements in vendor contracts and should confirm where the responsibility lies in handling a cyberattack and understanding the full spectrum of potential company and personal liability.

In today’s tech-driven business world, plan professionals are well-advised to insulate themselves against personal exposure for third-party claims of not meeting fiduciary obligations by obtaining fiduciary liability insurance or errors and omissions insurance to complement their mandatory ERISA fidelity bond. Instead of leaving the liability determination in the hands of the legal, judicial, and regulatory system after a data breach occurs, plan sponsors should be vigilant in their participants’ privacy and safety, and in their own fiduciary indemnity.

Richard Clarke, Chief Insurance Officer of Colonial Surety, leads insurance strategy and operations for the expansion of Colonial Surety’s SMB-focused product suite, building out the online platform into a one-stop-shop for America’s SMBs.