At first glance, pension schemes seem a much less obvious target for cyber-attack or fraud than banks or general insurers. After all, they have far fewer customer interactions and have simpler technology profiles.
But pension schemes of all sizes, including Master Trusts, should be in no doubt that they’re in the firing line of cyber and financial criminals. In fact, as banks, insurers and larger pension providers harden their defences, the UK’s thousands of small- and medium-sized pension schemes could soon find themselves increasingly threatened with attack.
It’s easy to see why. Like many small organisations, pension schemes rarely have all the in-house capabilities and resources they need to protect themselves. Their everyday controls can be rudimentary and staff sometimes lack the experience to identify and halt criminal activity. According to data from The Pension Regulator (TPR), 76 per cent of Master Trusts have already experienced some form of cyber-attack. And across a broader survey of pension schemes, only 16 per cent had all nine of TPR’s recommended controls in place.
Added to this, their reliance on external partners – including sponsor companies, third-party administrators, actuarial consultants, actuaries, banks and payroll providers – can open them up to multiple lines of attack. Outsourcing day-to-day operations should reduce some risks as administrators typically have controls in place, but delegation can also make it hard for trustees to ensure they’re meeting their responsibilities. Accountability for cyber and financial crime resilience sits with the scheme trustees.
This means many pension funds are vulnerable to a range of cyber security issues. Human error can see sensitive data lost or leaked without the proper fail-safes in place. Hacking can have a big impact without robust defences. Phishing attacks can steal information if the right education doesn’t happen. Fraud or money laundering, engineered by insiders, members, member families or external actors, can be expensive when detailed checks aren’t the norm. And bribery and corruption can seep into an organisation that doesn’t have the right culture.
The small size of many pension funds makes the financial and reputational impact of all these forms of cyber-crime worse. It’s tough to absorb the direct costs of crimes such as embezzlement, and difficult to recover from indirect costs like regulatory fines, compensation claims and technology repairs.
The good news is, there are some simple steps pension funds can take to build their resilience without significant costs. In our experience, these six actions are most valuable:
There’s a dual message for pension schemes here: Be alert, but don’t panic.
Pension schemes must be aware of evolving threats and the state of their own defences, and take steps to ensure appropriate resilience. But it’s equally important to realise that the right approach can achieve a major reduction in risk at relatively little cost.