Premier Pensions head of administration Girish Menezes details how the pandemic has made pension fund data vulnerable to cyber attacks, and explains what schemes and administrators can do to better protect their members’ information.
First, pensions data includes key personal information such as name, address and national insurance number, which opens the door to identity fraud.
Second, if data is not digitised and appropriately backed up, a fire in the physical file storage area or digital data corruption could make it very difficult and expensive to reconstruct an individual’s pension benefits.
Finally, hackers realise that response times are important when requesting pensions information such as retirement quotations, and this leaves pension systems open to cyber security threats, including denial-of-service exploits and ransomware attacks.
Companies that administer their pensions in-house are especially at risk as pensions administration is not their core competence
Impact of the pandemic
Historically, pensions data would be locked in a pension company’s bricks-and-mortar premises. The pandemic has forced the industry to transition to remote working, which means data is now accessible over the internet. This is a major change in security levels.
Companies have the additional issue that if they are not digitised, there is now no way to access an individual’s paper background files. It is difficult to request original ID, and payment approvals may still be dependent on a paper trail.
Rapid process changes, digitisation and workarounds could open up opportunities for hackers and scammers.
Companies that administer their pensions in-house are especially at risk as pensions administration is not their core competence. These companies’ processes are more likely to be manual and pensions administration may not have received the attention, resources and investment given to the core business.
How to be better protected against cyber security threats
The pandemic has forced pensions to move rapidly towards digitisation and automation.
All individuals’ files should be back-scanned, processes need to be embedded within an integrated automated workflow, member identification needs to take place using digital ID platforms, and payment approvals need to be made via a digital workflow.
If these are not in place already, it may be more cost-effective and efficient to outsource the service to a specialist organisation. If changes are made post-pandemic, these need to be reviewed by a third-party expert team.
IT and cyber security policies need to be reviewed within the post-pandemic context.
For example, companies should have data access locked to company-provided encrypted hardware, encrypted virtual private network access from laptops to servers, multi-factor authentication, data encrypted on servers, and companies should minimise entry points to the server to the bare minimum.
It is also possible to implement managed detection and response services, where a third party actively monitors all hardware 24/7 for unusual activity and has the ability to shut down hardware and services.
Resilience against denial of service attacks and frequent testing of back-ups is critical. This needs to be commensurate to the risks involved.
Finally, if they do not already, companies should ensure that they have independent specialists auditing their IT and cyber security arrangements at least annually.
Protecting trustees
You would expect that independent trustees and trustees who are still employed by the pension sponsor should be covered by the company’s IT and cyber security policies.
However, many trustees may work on personal laptops, desktops and tablets with questionable security. Their hardware may not be encrypted and could be used by multiple people.
You cannot lock them down in terms of software downloads, anti-virus software and removable media, nor force them to apply updates. The hardware may also not be securely wiped on disposal.
Best practice is for scheme secretaries to use specialised encrypted software platforms to share meeting papers, delegated approvals and data with trustees, so these sit centrally rather than on individual hardware.
Meeting packs and stewardship reports may also limit, obfuscate or redact personal information to reduce the risk of documents being mislaid or improperly accessed.
Girish Menezes is head of administration at Premier Pensions
