Pensions and Cyber Security - is the industry addressing the risks?

This article originally appreared on pensions-expert.com on February 19th.  Pension schemes are particularly exposed to the risk of cyber attacks.  The funds and personal data held by pension schemes present a lucrative target for cyber criminals and scheme members and beneficiaries are often not well equipped to protect themselves adequately.  Despite the risks, some consider that pension schemes are behind the market in the field of cyber security.  For numerous reasons, it's time for trustees and administrators to take heed and do more.

What are the risks?

Pension schemes are subject to many of the same cyber threats as other organisations face.  But the extensive personal data held about scheme members – including names, addresses, bank account details, age, beneficiaries and often health data – coupled with the potential to access pension funds – make pensions a lucrative target for criminals.  Social engineering techniques (such as phishing, where scheme members can be tricked into providing log in and account details to fraudsters or to transfer their pension plans) are a particular threat and pension schemes must be wary of a plethora of other potential cyber threats like hacking, malware, ransomware and rogue employees.

The IT systems of pension schemes may sometimes lack sophistication in relative terms.  Data thieves may be able to set up fake pension scheme websites which resemble the real thing and extract data from unwitting scheme members.  Once criminals have member log ins and personal data, members' addresses and account details can be changed to misdirect pension payments or used by fraudsters to identify potential targets.  Other issues often faced by pension schemes can include a lack of recognition or knowledge of data held, lack of investment and training in cyber security issues, poor internal processes and complacency given the number of scheme members who do little to actively engage with and manage their pensions accounts.

The vulnerability of pension schemes is inherent in the fact that existing pensioners tend to be of advanced years and less comfortable in dealing with matters online. In 2019, a survey conducted by the Financial Conduct Authority and the Pensions Regulator found that 1 in 4 pension savers admitted to taking 24 hours or less to decide on a pension offer, showing that data held by pension schemes can be extremely easy to misuse.

What are the responsibilities of pension trustees and administrators?

Given the threats, pension trustees and administrators need to be particularly wary of their regulatory obligations.  The General Data Protection Regulation has been a step-change for pension schemes by requiring schemes to implement appropriate technical and organisational measures to ensure an appropriate level of security for their personal data.  Likewise, pension trustees and administrators have additional obligations under state and workplace pension scheme rules or, in the case of private pensions, regulations of the Financial Conduct Authority, to ensure that they have appropriate systems and controls in place.  Personal data breaches – or material cyber incidents – must often be reported by pensions schemes to the Information Commissioner's Office in the UK and the appropriate pensions regulator.  The threat of potential fines looms large, following the proposed fines ranging in to the tens and hundreds of £millions for personal data breaches, like that of nearly £100m against Marriott International.

Pension trustees and administrators also have their own duties with respect to scheme members – whether under state, workplace or private pension rules.  As an issue that regularly appears in the top 3 for UK businesses, cyber security should be taken seriously by all those in trustee or management positions for pension schemes.

How can pension schemes be better protected against cyber threats?

There are useful sources of industry guidance for pension schemes in a number of different areas.  The Pensions Regulator publishes cyber security principles for pension schemes within its regulatory remit.  Likewise, the Financial Conduct Authority provides guidance on what it expects firms to do in terms of cyber resilience.  The themes of each bear a lot of resemblance however, and include recommendations such as:
 

• Assessing and understanding the cyber risks;
• Putting in place appropriate controls, including having the right IT security, processes and people, managing supply chain risk, obtaining appropriate accreditations (like The Government's Cyber Essentials Scheme or ISO27001 compliance), and having incident response plans in place to deal with cyber incidents;
• Monitoring and reporting to assess controls, processes and response plans and the pension scheme's ability to respond to them.

Importantly, pension schemes must do what they can to ensure that scheme members are given the right warnings to be able to identify potential cyber threats and scams, including by educating members as to how pension schemes will interact and communicate with them.  Having appropriate authentication measures in place to obtain the right scheme member approvals for transactions is also important, particularly given that many pension schemes can be accessed online by members with simple usernames and passwords when compared to banks and payment providers who now often have much more sophisticated secure customer authentication techniques.
 
The threats are clear. Pension schemes are not immune from the cyber security risks and taking better precautions is essential for schemes to protect their schemes and their members.