Pensions administrators have urged schemes to review their cyber security arrangements and question their advisers' practices after the WannaCry ransomware targeted British organisations including the National Health Service.
Admin providers have long warned about the consequences of poorly protected data for pension schemes and employers, but a direct attack on a UK fund has yet to materialise.
However, the WannaCry attacks, which sought to extort Bitcoin payments from computer users after encrypting their files, have brought the issue to the fore.
Believed to have been the work of an international criminal organisation, the virus infected NHS systems, forcing services including ambulances to be cancelled or diverted. NHS digital told the Financial Times that patient data did not appear to have been hacked.
They really need to come up with a risk plan, and start engaging more proactively with each one of their advisers
Daniel Taylor, Trafalgar House
Catherine Sutcliffe, head of risk and assurance at Punter Southall Administration, said the attacks highlighted the potential danger for large organisations of all types.
“Systems relating to the running of pension schemes are as much at risk as any other system. Criminals are indiscriminately targeting anyone whose systems are vulnerable.”
The ransomware, based on a stolen US cyber weapon, works by exploiting a weakness in Microsoft Windows’ Server Message Block, used to share files and printers across local connections.
The issue was first identified in March 2017, and so organisations that have added patches to their systems on time were able to escape infection.
In addition, the recent identification and registering of a 'kill switch' – a domain name hardcoded into the malware in case the creator wanted it to stop spreading – has also limited further contamination.
What to do
To protect themselves against further attacks of a similar nature, Sutcliffe said schemes should manage patches, add them as soon as possible following release and not use software where support is no longer provided.
She also urged schemes to build their systems in a standard and secure way, and have them independently stress-tested.
“Human intervention, or lack of it, often ends up being the weak link in information security incidents, so it is therefore vitally important that a comprehensive training and awareness programme is in place around information security,” she continued.
Trustees might choose to adopt a “layered” system of independent controls that must be breached before data access, increasing resilience against a hack as well as improving the chance of spotting it, Sutcliffe said.
Keep calm and challenge advisers
However, others said trustees are likely to be aware of the importance of data security already, and that while they should not become complacent, they should not allow themselves to become paranoid either.
Richard Butcher, managing director of professional trustee company PTL, said that cyber security is "flavour of the month, and I’d be very surprised if there was a trustee board where this hadn’t got onto their agenda in some shape or form”.
Pensions Regulator: Cyber security should be key on risk registers
Trustee boards should be assessing their risk of cyber attack and taking steps to protect member data and scheme assets, the chief executive of the Pensions Regulator said last year.
Schemes are unprepared for data hacking threat
PLSA Annual Conference 2016: Schemes must look past the immediate threat of pension liberation scams and stress-test their systems against other types of fraud, including cyber crime, according to a panel of experts.
However, if schemes can be confident that their professional advisers are alert to the issue, Butcher said it was important to challenge them on procedures, for example by “asking the service provider, ‘What have you done about this, what would happen in a cyber attack, have you had a cyber attack?’”
When advisers and service providers outsource capabilities, he explained, they create a further link in the data-sharing chain. This means trustees must identify everyone who will handle their members’ data, and establish contractual liabilities to cover their responsibility for it.
Industry standards vary
Daniel Taylor, director at administration specialist Trafalgar House, said quizzing service providers about their standards was particularly important given the uneven quality of data practices.
While some had robust systems in place, others “don’t have a good handle universally on whether all of their systems are being updated in the same way”, he said.
He said the widespread nature of the WannaCry attacks proved cyber crime would not necessarily be targeted at high-profile or politicised organisations, and that trustees should train themselves and staff not to be caught by activities such as phishing.
“They really need to come up with a risk plan, and start engaging more proactively with each one of their advisers,” he added.
