The pensions sector has reported 43 data breaches to the Information Commissioners Office since July 2018. Here are some simple steps that trustees can take to protect their schemes from cyber security attacks.
The Pensions Research Accountants Group (PRAG) recently updated its 2018 guidance to reflect developments in the nature of cyber attacks and an increase in data breaches in the pensions sector.
COVID-19 has affected every part of industry and society – and cyber security and data protection breaches have not been immune. In fact, the consequences of a rapid mobilisation of the workforce to become primarily homeworking, disruption of supply chains and different work patterns due to caring responsibilities have shifted the landscape in the fight against cybercrime. Cybercriminals, too, have faced consequences from lockdowns with greater opportunities to take advantage of this new environment and to target specific sectors – including the pensions sector.
From what clients have been telling us, there has been an increase in cyber crime activity directed towards pension schemes in recent months. Pension scheme trustees are therefore increasing their focus on cyber security and mechanisms to protect personally identifiable information (PII), particularly as prevalent remote working has accelerated attention on the cybercrime risks in this area.
Why pension schemes are attractive cyber attack targets
Pension schemes present attractive targets for cyber criminals for several reasons. The information dealt with by schemes includes vast amounts of PII, including health data, on older and potentially vulnerable members of the community. This information is valuable to criminals as they can trade or sell the data in order to conduct further crimes.
The largely outsourced model for the majority of schemes – whereby different service providers perform functions to administer the scheme – also presents a broad attack surface for cybercrime. From actuaries to scheme administrators, accountants and other professional advisers, the security of the scheme’s information is predicated on their security controls, data sharing mechanisms and that of the scheme itself. Schemes that run administration and accounting functions in-house can also face challenges, such as older software that may require more dedicated support to maintain, ensuring proper segregation of duties and putting in place appropriate IT support to protect scheme information.
Types of cyber security attack
Cyber attacks and data breaches can vary in their type and modus operandi. Ransomware attacks obstruct access to systems and information in return for payment of cryptocurrency.
Cyber attackers may also target individuals in schemes, such as staff in particular departments or trustees, with phishing campaigns to gain access to the organisation. Once they have breached the organisation’s defences, they will aim to exfiltrate information from specific systems to sell or trade with other criminals.
But breaches can also be caused by insiders – both intentionally or by accident. This could be through making information available to someone who doesn’t have a right to see it, accidentally sending information to the wrong person, or stealing information with the intention of causing reputational damage, financial harm or impact on operations.
Six steps to protect pension scheme data
Schemes can take a number of simple steps to protect the information they hold and mitigate against the threat of cyber attacks:
1 Assess the ‘crown jewels’ of information in the scheme, where this is and what controls are in place to protect it
2 Monitor for leaking PII that may be being traded by cyber criminals on the dark web such as health and bank details
3 Review the approach of third parties to accessing scheme PII
4 Test networks and systems and run regular vulnerability scans to detect ‘open doors’ that could be leveraged by cyber criminals
5 Ensure that trustees and staff are aware of their responsibilities and are working from home securely by providing increased training and awareness
6 Make staff aware of the need for internal data breach reporting as soon as they become aware of an issue
The Pensions Regulator (TPR) has also set out guidance for scheme managers and trustees to follow. It covers such areas as the accountability of managers and trustees, accessing the right type of skills to manage cyber risk, understanding the cyber footprint of the scheme, regularly reviewing cyber risk and making sure that adequate controls are in place, including undertaking due diligence on third party suppliers and having a coherent incident response plan in place.
In addition, schemes should establish cyber security roadmaps. These should focus on risk reduction and deploying the right resource to tackle projects and improvements. They should also ensure that management and trustees are briefed and understand actions that need to be taken in the event of a data breach or cyber security incident.
The good news is that by focusing regular attention on the area of cyber security and deploying the right resources to identify and mitigate the risk, pension schemes can rapidly reduce their exposure to cyber attacks and data breaches without necessarily costing the earth.
Guidance is available to assist schemes to approach cyber security in a proportionate way and implement appropriate actions.