Pension schemes are improving their security against cyber crime, but it is in human mistakes that data shows significant business risk lies, argues Anthony Rafferty of Origo.
Pensions fraud and scams are now big business for criminals around the world. The pensions sector, with its vast amounts of personal information and significant sums held, is an attractive target to these ‘businesses’ — in particular if we consider the sector’s fragmentation, the overall level of cyber security (reported as generally lagging other industries), and use of external suppliers, whose security measures are outside of schemes’ direct control.
The Pensions Regulator has issued guidelines for pension schemes, focused quite rightly “on savers, not solely regulation, administration and enforcement”, and covering a range of concerns, which includes the proliferation of scams during Covid-19 and the safety of savers’ information.
It is not external cyber criminals who have been responsible for the majority of reported data breaches, according to the ICO, but rather the ‘inappropriate disclosure of data’ by company staff
During the crisis, effective communication with clients has been essential. In our digital age — and certainly since lockdown — the use of digital facilities, such as electronic communication and digital signatures, has increased. In pretty much all instances this represents progress, with coronavirus accelerating trends towards digitalisation that were already advancing in the industry.
However, homeworking increases the risk to schemes of experiencing a cyber incident. This is compounded by the fast pace at which organisations and their third-party suppliers were forced to set up remote working capabilities, including effective cyber security arrangements.
In particular, with people separated physically from one another, email between colleagues, and with customers and clients, has become more prevalent. More often than not that email is unsecure.
Risks are significant
Data held by pension schemes and communicated between provider and saver can provide enough detail for criminals to defraud scheme members, or even use it for blackmail. Data security is imperative, and no more so than when being passed via unsecured channels between the saver and the scheme or third-party provider, such as email.
However, while pension providers do need to ensure they, and their suppliers, have robust and up-to-date cyber security systems in place, it is not external cyber criminals who have been responsible for the majority of reported data breaches, according to the Information Commissioner’s Office, but rather the “inappropriate disclosure of data” by company staff.
ICO statistics show that the most reported specific incident was information being incorrectly disclosed by being emailed to the incorrect recipient: data posted or faxed to the incorrect recipient was the third highest; the second highest was phishing. The Pensions Administration Standards Association has issued specific warnings around these attacks. The good news here, of course, is that email, post and fax incidents are entirely within our ability to eradicate as businesses.
When it comes to sending personal data by any of these methods, having a well-documented policy, procedures and monitored processes can go a long way to preventing errors of this kind.
Regular awareness and training sessions of staff, both in terms of recognising potential cyber crime threats, as well as the regulatory and other impacts on the business should a breach occur, can also help reduce incidences.
Having robust security measures in place, such as using military-grade encrypted email when sending personal and sensitive information to and from providers, TPAs and savers, can help better keep our data and communications secure.
Encryption helps on two fronts
On a practical level, email encryption secures against hacking, enables authentication to ensure the right person has accessed the information, and provides an audit trail for security and regulatory purposes. Using it puts in place a secure process to tackle the human error breaches that can occur via email.
Likewise, having clients respond to emails and send information via a secure channel, such as encrypted email with built-in authentication, increases security for all.
A breach a week
As the extent of pension data losses is revealed, what can the industry do to tighten up?
Whether or not homeworking will become a greater part of the UK’s business operations post-Covid, it is clear from a growing number of media reports that ensuring robust data security and secure communications is now essential for all schemes and their third-party suppliers.
We are now operating in a world where disclosure of information is a threat on many levels — schemes risk falling foul of both TPR and the ICO, which enforces the General Data Protection Regulation.
Taking preventative measures, such as increasing staff awareness, implementing formal training, and taking sensible precautions such as encrypting emails needs to become the norm if the pensions sector wants to reduce these risks.
Anthony Rafferty is managing director at Origo
