PROVIDENCE –
The agency that administers the state's $11.3 billion public pension plan is releasing a Request for Proposals on Jan. 6 for a contractor to assess its data security and IT infrastructure.
The call, which will be open until Feb. 14, was posted by the Employees’ Retirement System of Rhode Island, the political subdivision of the state that administers the pension system managed by the State Investment Commission and the General Treasurer’s office.
The RFP comes on the heels of the
cyberattack on the state’s RIBridges public benefits computer system earlier this month that resulted in the theft of the personal data of about 650,000 individuals. Information taken by ransomware group Brain Cypher includes Social Security and bank account numbers, along with information from health insurance received through HealthSourceRI.
In 2023 more than 14,000 state workers and retirees had their personal information compromised by a theft perpetrated by a Russia-based hacking group known as “Clop," which exploited vulnerabilities in the MOVEit file transfer system used by third-party contractor PBI Research Services.
That breach exposed vulnerabilities laid out in the most recent R.I. Auditor's report in 2023 that said the Treasury "lacks dedicated internal audit and information system ... security functions common in most state Treasury operations."
In a statement Thursday, Diossa spokesperson Wil Arboleda said the RFP is unrelated to the RIBridges breach. The Treasury spent $140,000 to complete a comprehensive security review in 2023 and the office has budgeted the same amount for this latest request.
A summary of the RFP says ERSRI “seeks to secure a contract for an Information Systems security risk assessment of its physical office space and IT Security policies and procedures, as well as an assessment of the security posture of ERSRI’s line of business contractor,” identified as Toronto-based Telus Corp. and its third-party payment processor Day Force, headquartered in in Minneapolis, Minn.
The RFP also seeks a risk assessment of the Teachers Insurance and Annuity Association, the nonprofit that administers the state's 401(a) Defined Contribution Retirement Plan, 457(b) Deferred Compensation Plan, and the FICA Alternative Retirement Income Security Program.
The contractor will also use “social engineering" to vet ESRI staff and review internal policies and practices related to the handling of personal identifying information and personal health information, and develop a "cybersecurity program maturity assessment."
The contract could also include monthly "on-site risk management and review of cyber security procedures, analysis of system output data to identify potential breaches, suggest best practice, apprise senior management of known threats.”
Christopher Allen is a PBN staff writer. You may contact him at Allen@PBN.com
