Pension companies have been warned to be on their guard against ransomware attacks, after industry insiders confirmed to Pensions Expert that at least one administrator was subjected to a ransomware attack in the past week.
While regulators and an industry association released a statement on Thursday saying it was a case of “when, not if” a cyber attack would occur, in fact ransomeware had already been deployed in an attempt to extort pension companies, according to three people briefed on the matter.
Pensions Expert understands that trustees have sent alerts out to unaffected administrators, urging them to review their systems on the back of three ransomware breaches. Another person familiar with the matter said that the number of administrators may have been a miscommunication, clarifying that only one attack has been confirmed.
Ransomeware attacks involve hackers encrypting an organisation’s data, then demanding a ransom before it can be released. In some occurrences, victims have paid ransoms many times without succeeding in gaining access to their systems, according to cyber security experts.
This has the potential to have a very serious impact unless administrators are properly protected because of people’s reliance on them to settle and pay their benefits from pension schemes
Pasa statement on cybersecurity
It is understood that the administrator in question was able to stymie the attack by restoring a back-up of its data.
On Thursday, the Pensions Administration Standards Association released a statement saying that it is “aware of current heightened interest from cyber criminals in the pensions sector”, echoing warnings by regulatory executive David Fairs that it is a matter of “when, not if”, an attack will occur.
“This has the potential to have a very serious impact unless administrators are properly protected because of people’s reliance on them to settle and pay their benefits from pension schemes,” the association said, urging outsourcers to strengthen their resilience, have this independently verified, and update their processes for dealing with an attack, ensuring that they can still settle and pay benefits.
A spokesperson for the Pensions Regulator declined to comment as to whether it was aware of the attack. “Pension schemes hold significant amounts of valuable data, which make them targets for fraudsters and cyber criminals, so it’s vital that trustees and managers treat cyber security as a key risk and ensure third-party administrators do the same,” the spokesperson said.
Pensions displays data weaknesses
While ransomeware attackers are principally concerned with denying organisations access to their own data, Pensions Expert has previously reported on the extent to which schemes and administrators are themselves leaking potentially valuable information.
A freedom of information request revealed that since May 2018, on average a report of a data breach in pensions is submitted to the Information Commissioner’s Office at least every week.
Jim Gee, head of forensic services at advisory firm Crowe, who also chairs Pasa’s cyber crime and fraud working group, said that administrators must recognise that they will never be able to make their defences totally impermeable, given that even sophisticated national defence systems have been hacked in the past.
“I do think that some administrators and pensions organisations actually place an overreliance on the protection element, and don’t do enough about how to actually manage an attack and recover from it,” he said.
Mr Gee said that the wide variation in tactics used by ransomeware hackers makes them hard to respond to, but that planning for the eventuality can help improve the industry's response.
Organisations, whether they’re schemes or administrators, often don’t get what I think is essential, which is an independent levels of assurance that what they have got in place,” he said, arguing that providers of cyber-protection are unlikely to be forthcoming about their own weaknesses.
PASA is rapidly developing guidance for schemes and administrators on cybercrime resilience, and expects to publish this in September. TPR also hasguidance to help ensure pensions schemes are as cyber resilient as possible.
Calm response needed
For trustees who find their administrators have been compromised, understanding is likely to be key. Several administration professionals told Pensions Expert that despite their diligence in fortifying themselves, the sophistication of some hacks means that chance was at least partly possible for them being spared.
Paul McGlone, a partner at Aon, said that while trustees will be anxious, a collaborative relationship with admins will be most productive.
"The best thing you can probably do is let them get on with their job," he said. "The last thing they need is to be distracted by dozens on dozens of clients all calling up asking what's happening."
However, schemes that have not yet been hit should be carefully preparing for this eventuality, he warned.
"We've been running cyber wargames with our clients for the past three years where you take them through a simulated attack, and they've been incredibly popular," said Mr McGlone. He said many schemes have rehearsed plans for incident response, which might include measures to ensure that benefits continue to be paid.
