Why pension schemes must act now on cyber risk
16 March 2017
Is your pension scheme at risk of a cyber attack? The unfortunate truth is, absolutely. The UK’s occupational pensions sector manages around £3 trillion worth of assets and each scheme holds exactly the sort of valuable data most coveted by hackers: names, national insurance numbers, dates of birth, bank details and a host of other personal information.
PwC has predicted that cyber security will be one of the five key pensions technology (PenTech) issues of 2017. Not before time: for while schemes are an obviously attractive target for cyber criminals, the pensions industry has been slower than many other financial services counterparts to confront the threat.
That may be because scheme trustees believe cyber security is primarily the responsibility of third parties such as scheme administrators. It’s also the case that cyber security has not been a particularly high priority for regulators, though over the past year bodies such as The Pensions Regulator have been increasingly vocal about the risks schemes must address.
Whatever the explanation for the slow start, the window of opportunity for pension schemes is closing rapidly. For one thing, the European Union’s General Data Protection Regulation (GDPR) will apply in the UK from May 2018, with strict new rules about how personal data is handled and protected. Pension schemes will be covered by this regime.
Leaving aside the regulatory imperative, however, pension schemes must get to grips with cyber risk because if they don’t, a major attack is almost inevitable. That might mean a serious breach of data security, in which members’ bank details are stolen; it could mean the loss of assets through, for example, a systematic programme of fraudulent transfer requests that goes undetected for years or even decades until members seek to retire. Trustees concerned about deficits in their schemes today might like to reflect on the crystallised losses that such a theft would represent.
Don’t think that cyber criminals have not identified the opportunity. The widely held stereotype of a hacker – the spotty teenager in his bedroom – is misleading. In fact, cyber criminals are highly organised and sophisticated, often collaborating with one another in corporation-like structures – they employ teams dedicated to identifying new opportunities for attack, researching the size of the prize, and investigating resilience. With cyber crime operating on this industrial scale, the allure of the pension scheme sector will not have passed attackers by. Worse, the criminals only have to be successful once to make a killing and to cause devastating damage.
Anecdotal evidence suggests UK pension schemes have already been targeted by cyber criminals; more attacks may come to light once the GDPR mandates public disclosure of all breaches. So far, however, there hasn’t been publicity surrounding a large scale attack – and pension schemes must act now to protect themselves against such threats.
What does that mean in practical terms? The key is for pension scheme trustees to push this issue up their agenda, so that it ranks alongside discussions about deficits, investment strategy and other key priorities. Every scheme should have IT security policies in place, communications protocols that cover what happens if there is an attack, and training programmes for everyone involved in the running of the scheme so they know how to stay ahead of the hackers and protect scheme members.
Clearly, the relationship with scheme administrators is crucial. Do they understand cyber risk and what security precautions have they taken? Are their IT systems monitored and tested for vulnerability to attack? Is an incident management scheme in place? Do they have clear governance structures in place and a culture of complying with best practice? Are they certificated under initiatives such as the Government’s Cyber Essentials scheme?
Understanding other third party relationships will be crucial too, with cyber criminals often targeting an organisation’s supply chain as the easiest way in. Once the pension scheme is penetrated, the hackers can “sit” undetected for weeks, if not months, waiting for the optimal time to take control of the systems and holding trustees to ransom with the threat of locking down the system – imagine the impact that would have if such an attack was launched just before payroll.
Whilst many of the threats can be overcome by practical and sometimes easy-to-introduce measures, trustees need experts in cyber security to help them and their advisors and administrators prepare for what can be sophisticated and prolonged attacks.
Don’t think this will never happen to your scheme. The stakes are getting higher by the day. Remember, cyber criminals act like organisations – they are professional, organised, persistent and evolving; that’s why PwC predict cyber security as one of the five key PenTech issues for 2017. Our response to this threat must be equally robust and comprehensive.