Schemes still lagging on cyber security
A leading cyber-security expert says pension schemes are still behind the rest of the financial services sector in protecting members, despite increasing awareness and realism about the threat of online criminals.
Jim Gee, national head of the forensic services team at professional services firm Crowe UK, helped the Pensions Regulator to create guidance, released last year, on cyber security. While trustees are beginning to take action on these threats, some assume that measures they have implemented are impenetrable, according to Mr Gee.
It’s not just the money but it’s also the rich seams of personal data
In fact, cyber crime is becoming a fact of life for large organisations. The Department for Digital, Culture, Media and Sport’s latest survey on hacking in April found that 32 per cent of businesses had identified breaches or attacks in the past 12 months, rising to 61 per cent of large businesses. Forty-eight per cent of those who reported an attack reported at least one such attempt per month.
Personal data at risk
Cyber criminals are organised, business-minded, and willing to target any organisation. In a Crowe survey of the UK’s top 50 brands, 40 per cent were the subject of active dark web conversations about how to reach their systems, and how to monetise a resulting breach. Not a single Crowe client has been found to have no emails or passwords for sale online.
Pension scheme trustees should not count themselves as immune to this threat, according to Mr Gee. “You can see why pension schemes would be attractive to them,” he said. “It’s not just the money but it’s also the rich seams of personal data.”
Schemes typically hold details about their members, including their bank account details, names and addresses, and even information about member health in some cases.
“I’d be surprised if this hadn’t happened [to a pension scheme] somewhere in the UK. We know it’s happened in the case of some pension administrators,” Mr Gee said.
He said trustee alertness to cyber threats is improving, due in part to the regulator’s increased focus on the issue. The April 2018 guidance steers trustees and administrators through a three-stage cycle, starting with assessing the risk, then putting in place controls, and finally monitoring and reporting.
Take on scenario training
Cyber security is also starting to be presented in accessible terms, according to Mr Gee. However, he added that some boards have historically seen cyber risk as a job for their sponsoring employer, and that the pensions industry still trails behind peers such as in banking, despite pensions holding the greater asset values.
“It’s much better to admit that there’s at least a possibility, if not a probability, that you’ll be attacked,” he said of any trustees still burying their heads in the sand.
If trustees take on the scenario training recommended by experts like Mr Gee and have contingency plans in place, they can react quickly to contain attacks if hackers are successful.
This speed of reaction helped the £32bn Pension Protection Fund limit the impact of a breach it experienced in late 2018.
Only a small percentage of members and employees were targeted, but mandatory employee training and monitoring allowed the pensions lifeboat to respond quickly, consulting experts in the field while it tackled the issue.
Simon Liste, the PPF’s chief information technology officer, said: “We take the protection of our members’ data very seriously. Cyber-criminals are always developing new ways to compromise high-security infrastructure and as such we constantly review our security controls and processes to ensure we follow the very highest security standards to mitigate against data loss from these evolving cyber threats.”
Review processes
Trustees in the wider industry do not rate themselves as being this proficient. A 2018 Crowe survey found that just 17 per cent of defined benefit trustees and 24 per cent of their defined contribution peers rated their cyber risk controls as “very good”, making this area the worst protected out of several key risks.
Nonetheless, scores on these surveys were a marked improvement. One factor driving trustees’ increased alertness is the introduction of GDPR last year, according to Rebecca Morgan, head of technical research at ITM.
Still, she says she has seen instances of member details being shared via unsecured platforms, and urges trustees to review both third parties’ processes and their own for passing data to these providers.
“It’s thinking about when you can anonymise that data before you send it, and making sure you’re not emailing it, and sending it securely,” she said.