Third of schemes had data breaches in the past year

A webinar survey carried out in March by Sackers showed that from 77 trustees and employers of defined benefit and defined contribution schemes, 35 per cent have had their data breached. Almost half (45 per cent) of these have been reported to the Information Commissioner’s Office.

In 2019, the Pensions Regulator was thetarget of more than 343,000 email attacks, an increase of 148 per cent over the previous year.

The most targeted organisations are often third-party administrators, which are responsible for storing personal data on scheme members and have been receiving and handling much more information digitally since the start of the lockdown.

Ominously, while several experts said cyber criminal activity hassurged during the pandemic, they cautioned that most evidence of this is yet to emerge as attacks can often remain hidden for weeks or even months.

Arshad Khan, senior counsel at Sackers, noted that the “pensions industry is no different to any other industry, and breaches or cyber attacks do and will continue to happen to everyone, including schemes such as those in our survey, and government bodies such as the Department for Work and Pensions, TPR and HM Revenue & Customs too”.

He added: “The key message is to ensure that you have good scheme governance and controls in place across all aspects of data management and cyber security, to minimise potential damage to members and the scheme’s reputation and finances should a breach happen.

“This is one critical responsibility that trustees cannot delegate away.”

According to apoll by the Pensions and Lifetime Savings Association published in November, 22 per cent of respondents knew their organisation had a cyber security response plan but did not know what was in it, while 11 per cent either did not have or did not know about such a plan at their business or scheme.