Following the publication of the latest Office for National Statistics cybercrime and fraud statistics, the Pensions Research Accountants Group (PRAG) has set out some guidance on the need for schemes to adopt holistic cybersecurity protections. The research shows the position for the 12 months ending June 2021 compared to the 12 months ending March 2020.
In that timeframe there were 1,772,000 incidents of cybercrime, a startling increase of 102%. In addition, law firm Sackers has identified that in the 12-month period ending March 2021 a third of pension schemes experienced data breaches - of which almost half were reported to the Information Commissioner’s Office (ICO).
With the inclusion of cybersecurity in the proposed new single code of practice, and the recent discovery of the significant Log4j vulnerability, trustees and scheme management should be actively considering cyber threats as risks to the scheme, and have a plan in place to manage and mitigate these on an on-going basis.
Attacks targeting new working practices
The move towards mobile working brought about by the pandemic has led to cyber criminals actively exploiting vulnerabilities in the online infrastructure of organisations. Information systems (IS) teams have had to adapt existing tools and services, while introducing new technologies at pace. This, in turn, has led to weaknesses in security controls.
Phishing attacks, that use fake emails from reputable companies to dupe users, have increased since the start of the pandemic. According to research by Sophos, 70% of organisations have noticed an increase in phishing since March 2020. Criminals have used this disruption to generate more inspiration for their campaigns, such as the use of HMRC furlough guidance as the basis for emails.
The PRAG guidance also refers to cyber criminals using artificial intelligence to target schemes and outsourced suppliers. Attackers regularly use scanning software to identify vulnerabilities such as unpatched software and open ports identified online. These vulnerabilities are ‘low hanging fruit'. They are straight-forward for organisations to address and fix and can be considered basic cyber hygiene. An example of this has been the swift exploitation of the Log4j vulnerability to deliver ransomware almost immediately after being discovered. The vulnerability can be addressed by upgrading to the patched version Log4j2.
Proactive cyber threat management
How can schemes identify cyber exposure proactively, particularly in relation to leaking information and technical weaknesses in the provision of services?
Undertaking cyber threat reviews and internal audits is a key feature of risk management and an important way to make sure that cybersecurity and data protection controls are designed and operating effectively. There are also additional ways, focusing on the use of new technologies, that can be used to look for information that may have been compromised and keep watch over the security of online infrastructure, such as web portals.
One emerging technique is to monitor sets of information to detect leaks as a form of early alerting. Cyber criminals will typically trade information that they have acquired on the dark web. By scanning traded datasets and data dumps on a frequent basis, it's possible to pick up indications of data that may have been inadvertently leaked or been exfiltrated from key systems.
Another technique is to undertake active monitoring of the digital footprint of the organisation. This may involve checking that the security is configured appropriately for any access points into the environment and monitoring for any domains that are registered that may be used to ‘spoof’ legitimate communications or support web pages and forms to extract information from members.
Ongoing cybersecurity for schemes
Trustees must continue to be vigilant about cybersecurity threats and ensure that they are proactively considering security, including the arrangements of any outsourced suppliers that they use. Supply chain compromise is a growing area of cyber risk and has been identified by The Pensions Regulator (TPR) for consideration by trustees and scheme management.
In our work with trustees we regularly review the risk posed by suppliers who are handling significant amounts of personal information or providing services that enable the scheme to fulfil obligations to members. Increasingly trustees and scheme management are considering new ways of proactively monitoring suppliers for leaking data and testing online infrastructure for weaknesses, for example, through the use of vulnerability scanning software.
Cybersecurity will form a part of the proposed new single code of practice that is expected to be issued in its final form in 2022. This will likely be based on the current cybersecurity principles set out by TPR in the draft issued for consultation earlier this year, that covered 10 of the existing codes of practice. The principles cover the accountability of trustees and scheme management, managing cyber risk to the scheme and making sure that adequate controls are in place.
Trustees and scheme management should ensure that they are up-to-date with the principles and consider assessing scheme arrangements against these.
