Pensions sector warned as business data breaches almost triple

According to RSM’s ‘The real economy’ report, 27 per cent of middle-market businesses have experienced a cyber attack in the past year, up from 20 per cent in 2021. 

Meanwhile, the proportion of businesses that reported a data breach has increased from 13 per cent in 2021 to 34 per cent this year.

While the research findings were based on businesses in general, Ian Bell, head of pensions at RSM, said he would be very surprised if the numbers were not similar for the pensions sector, and urged trustees to take notice and act before they are targeted by criminals.

“The pandemic has led to higher cyber criminal activity in terms of people working remotely, and the checks and balances and controls in place are probably not as good as they would be if everyone was working in the office,” he said. 

“One of the things we typically tell pension trustees to address is where you have independent trustees that are using their own email addresses instead of using the corporate email address, so they’re relying on their quite weak home systems when it comes to cyber threats.”

Trustees can be a target because they are responsible for some very valuable member data.

Bell said: “Trustees tend to argue that member data does not go through their emails, but that’s not typically true because once cyber criminals work out what that individual does, such as the chair of trustees, they can piece together how they then want to take advantage of that.”

For example, criminals can launch a whaling attack, where they hack into the trustee’s email address and pretend to be that individual. They can then use that email address to contact other trustees to contact scheme management to try to instigate a transaction and extract funds from the pension scheme. 

According to the Information Commissioner’s Office, ransomware attacks — where hackers either steal or encrypt data then hold a business to ransom for it — doubled in 2021 since the Covid-19 pandemic. Meanwhile, ransomware is now even available to buy as a service in some jurisdictions.

In terms of ransomware, the typical target for ransomware would be pension scheme administrators or in-house scheme administrators, Bell said. That is because if a ransomware attack was successful, that would prevent them administering the pension for thousands of people and therefore someone would have to pay the ransom to get that back. 

While he has no knowledge of it happening in the pensions industry, he said he has been suspicious at times as to why administrative systems have gone down.

Despite the increased risk of ransomware attacks, the number of businesses that felt they are “very likely” to fall victim to a ransomware attack has fallen from 34 per cent to just 24 per cent in one year, according to RSM’s report.

Bell pointed out that one of the problems is when it comes to transparency on incidences of ransomware in the pensions industry — if insurance policies have paid out on the back of a ransomware attack, companies are not allowed to share that data.

“The information is not freely available, and if it was it would be useful because it would tell trustees that this is a very real risk,” he added.

RSM issued a freedom of information request to the Pensions Regulator to get its views on availability of data in the pensions sector, but TPR said in its online response that it does not have access to that data. 

The regulator will tell trustees in its new code of conduct later this year that they need to be aware of cyber risks and the sort of data they hold on behalf of their members and how it needs to be protected. 

“In terms of compliance with everything the trustee should be doing, who is actually monitoring the position from an industry point of view?” Bell asked.