Schemes must stay safe as cyber threat heightens

Details of the attack are still unclear, with the regulator refusing even to assure the industry of its involvement.

In the pensions industry, we have grown accustomed to talking about member vulnerabilities rather than systemic weaknesses, particularly when discussing technology and the threats emanating from nefarious actors around the world. 

The sophistication of hacking techniques and speed of development are such that a penetration tester leaving the market for six months would struggle to ever catch up again

But the potent cocktail of vast troves of personal data and a level of security that reportedly lags the rest of the financial services, means that we should perhaps spend more time looking inwards.

That said, this is not a threat that affects our industry alone. Any lockdown joggers still keeping their discipline may have noticed data streams from their Garmin devices drying up, as the technology giant’s Connect app fell prey to a hack by software linked to the rather intriguingly named Evil Corp.

Another devastating hack was launched against the UK’s universities in late July, demonstrating the indiscriminate nature of the threat.

Responding to an attack is also fraught with difficulties. Experts tell Pensions Expert that some victims have paid ransoms many times over without regaining access to their data.

In the case of Garmin, which reportedly paid the ransom, it would have faced the added headache of Russian hackers Evil Corp being on a US sanctions list, though it is not confirmed that the hack emanated from this group.

The sophistication of hacking techniques and speed of development are such that, according to Crowe’s Jim Gee, a penetration tester leaving the market for six months would struggle to ever catch up again.

It is this scale of the challenge that has evoked a certain solidarity among the administrative industry, with several unaffected players telling Pensions Expert words to the effect of ‘it could easily have been us’.

This attests to a positive response to the regulator’s salient warning to ensure robust processes are in place for the handling of an attack. Certainly, trustees should have probing questions prepared for their outsourcers to establish the level of work going into this area.