Is the pensions industry up to speed on cyber security?

Despite the risks, some consider that pension schemes are behind the market in the field of cyber security. For numerous reasons, it is time for trustees and administrators to take heed and do more.

Pension schemes are subject to many of the same cyber threats that other organisations face. But the extensive personal data held about scheme members – including names, addresses, bank account details, age, beneficiaries and often health data – coupled with the potential to access pension funds, make pensions a lucrative target for criminals.

Social engineering techniques such as phishing, where scheme members can be tricked into providing login and account details or to transfer their pension plans, are a particular threat, alongside hacking, malware, ransomware and rogue employees.

Pension schemes are not immune from cyber security risks, and taking better precautions is essential for schemes to protect their schemes and their members

Data thieves may be able to set up fake pension scheme websites that resemble the real thing and extract data from unwitting scheme members. Once criminals have member logins and personal data, members’ addresses and account details can be changed to misdirect pension payments or used by fraudsters to identify potential targets.

The IT systems of pension schemes may sometimes lack sophistication in relative terms, exacerbating the problem. Some schemes do not know or recognise exactly what data they hold, suffer from lack of investment and training on cyber security issues, or have poor internal processes. 

Members are also a factor in making pension schemes vulnerable. Pensioners tend to be of advanced years and less comfortable in dealing with matters online. In 2019, a survey conducted by the Financial Conduct Authority and the Pensions Regulator found that one in four pension savers admitted to taking 24 hours or less to decide on a pension offer, showing that data held by pension schemes can be extremely easy to misuse. 

What are the responsibilities of trustees and administrators? 

Given the threats, pension trustees and administrators need to be particularly wary of their regulatory obligations.

The General Data Protection Regulation has been a step change for pension schemes by requiring plans to ensure an appropriate level of security for their members’ personal data.

Personal data breaches – or material cyber incidents – must often be reported by schemes to the Information Commissioner’s Office in the UK and the appropriate regulator.

The threat of potential fines looms large, with proposed payouts ranging into the tens and hundreds of millions for personal data breaches. A fine of nearly £100m has already been levied against Marriott International. 

Likewise, trustees and administrators have additional obligations under state and workplace pension scheme rules or, in the case of private pensions, FCA regulations, to ensure that they have appropriate systems and controls in place.

How can pension schemes be better protected?

There are useful sources of industry guidance for pension schemes in a number of different areas. TPR publishes cyber security principles for pension schemes within its regulatory remit.  

Likewise, the FCA provides similar guidance on what it expects companies to do in terms of cyber resilience. 

Guidance includes recommendations such as assessing and understanding cyber risks, and putting in place appropriate controls. This might including having the right level of IT security, processes and people, managing supply chain risk, obtaining appropriate accreditations – like the government’s cyber essentials scheme or ISO27001 compliance – and developing incident response plans.

Monitoring and reporting of the scheme’s preparedness and responses to threats is equally important.

Essentially, pension schemes must do what they can to ensure that scheme members are given the right warnings to be able to identify potential cyber threats and scams, including by educating them as to how the scheme and administrators will interact and communicate with them.

Having appropriate authentication measures for members approving transactions is also important, particularly given that many schemes can be accessed online by members with simple usernames and passwords.

In comparison, banks and payment providers now often have much more sophisticated secure customer authentication techniques.

The threats are clear. Pension schemes are not immune from cyber security risks, and taking better precautions is essential for plans to protect their schemes and their members.

Jeremy Harris and James Walsh are partners at law firm Fieldfisher, working in the pensions and the technology and outsourcing practices, respectively