The pensions industry can no longer hide from the uncomfortable truth that all schemes in the UK are at risk of cyber attack and data breach.
For many, it’s not a case of ‘if’ but ‘when’ they will suffer an attack or a breach; how serious will it be and when will the trustees find out about it. The relentless march of the GDPR, with its threat of multi-million pound fines for the non compliant, has thrown the issue of cyber security into sharp relief. But this may not have come a minute too soon for some.
Why are pensions schemes particularly at risk?
There are a number of reasons.
The industry presents potentially rich pickings for a cyber-attacker. Schemes look after billions of pounds worth of assets, and they hold exactly the type of personal member data that cyber attackers covert for facilitating identity and credit card fraud.
An increasing number of schemes offer online services to members. This improves member experience and helps with administration. But it ups the cyber risk ante.
The day-to-day operation of schemes involves data and money flow between a significant number of organisations with each flow presenting opportunities for malicious interception or data loss.
Some schemes have been slow to respond to the cyber threat. Trustees might think that cyber security is somebody else’s problem or that cyber attacks only happen to retail giants. In terms of downward pressure, cyber security has only just become more of a regulatory priority. As others tighten their cyber security, attackers become ever more sophisticated and start to look at softer targets, such as pension schemes.
There have not yet been any cyber attacks on the pension industry that have hit the headlines in the UK. This might change after May 2018 with increased reporting requirements under GDPR. If we look overseas, we can glimpse possible future outcomes for the UK.
In 2015, the Japanese Pension Service suffered a virus attack that led to millions of items of personal data leaking into the public domain. In 2016, a malware attack knocked the Ukrainian Pension Fund off line preventing member payments and destroying data. And, in 2017, the website of the Belgian pension fund Ogeo was hacked leading to a denial of access for several hours.
What can schemes do about cyber risk?
Prevention is always better than cure.
It may not feel so, but the requirements of GDPR do provide schemes with an opportunity as much as a burdensome challenge. Trustees can take stock of where and how members’ personal data is held and how safe it is; they can review old supplier agreements and look to address cyber risk issues in a new contract; and they can look at what IT mechanisms are in place to defend against cyber attack and develop crisis response plans.
Trustees must quiz their advisers and administrators on their cyber security arrangements. What do they have to say about their compliance, certifications and what would they do if they suffered a cyber attack?
Trustees should look at whether they have insurance in place to cover the costs of dealing with a cyber attack or data breach (which can be very significant). Trustee liability policies might not always provide insurance against these risks, and trustees may need to think about specialist products.
So, whilst the risk of cyber attack or data breach for schemes cannot be underestimated, there is still plenty that trustees can do to manage and reduce cyber risk. The imminence of GDPR may just have helped the industry to confront the problem.