PLSA Annual Conference 2016: Schemes must look past the immediate threat of pension liberation scams and stress test their systems against other types of fraud, including cyber crime, according to a panel of experts.
Pension fraud doubled over 2015, with audit firm RSM reporting that 37 per cent of respondents to its most recent survey said fraud had occurred in their scheme in the previous 12 months.
Liberation scams and related frauds are now relatively well known in the industry. Even the Pensions Regulator’s chief executive Lesley Titcomb has reportedly been targeted by fraudsters.
If you wanted any scheme’s data here you could go to them and they’d get it for you
Martin Mannion, John Lewis Partnership
And since the Crime Survey for England and Wales began including fraud and computer misuse statistics in October 2015, the number of total offences recorded has almost doubled.
“From a pensions perspective we as an industry are clearly behind the times in terms of cyber,” said Ian Bell, partner at RSM, comparing the lack of preparation in the pensions sector with heavily guarded financial services like banking.
Get tested
Tactics used by cyber criminals have become more sophisticated, he said, and instruction manuals are readily available on the internet. He stressed the damage that a breach could do to the reputation of schemes, sponsors and the industry as a whole.
In response to the threat, he urged schemes to have their systems, and those of their third-party advisers, tested by security companies which use similar techniques to those of hackers.
The extent of data theft from UK pension schemes is largely unknown, as funds may not know that they have been hacked.
But the availability of confidential information on the dark web is a clear sign that schemes have suffered from cyber crime, according to Martin Mannion, head of trustee services at John Lewis Partnership.
He said criminals often operate from countries such as Russia, where data protection laws are less stringent.
“If you wanted any scheme’s data here you could go to them and they’d get it for you,” said Mannion.
He said the integration of new interfaces, including the pensions dashboard, with legacy data management systems, could provide an opening for hackers.
Scams still prevalent
Bell and Mannion also stressed the importance of being alert to other prevalent forms of fraud, such as pension liberation and identity theft, which often involve family failing to notify schemes about a member’s death.
Mark Smith, partner at law firm Taylor Wessing, argued that the recent advent of the pension freedoms means that liberation scams remain the key concern for schemes for some time.
Pensions Regulator: Cyber security should be key on risk registers
Trustee boards should be assessing their risk of cyber attack and taking steps to protect member data and scheme assets, the chief executive of the Pensions Regulator has said.
But he added: “It probably isn’t too far away from the time that we’d see more and more schemes having had data hacked, possibly as a way of getting access to those who access pensions freedoms, or to target people.”
He said that for trustees to prove that they had taken every reasonable step to combat fraud, they would have to “walk the walk”, asking searching questions of their third-party advisers’ arrangements as well as their own.
