Pensions are vulnerable to cyber-attacks but building resilience is easier than it seems

At first glance, pension schemes seem a much less obvious target for cyber-attack or fraud than banks or general insurers. After all, they have far fewer customer interactions and have simpler technology profiles.

But pension schemes of all sizes, including Master Trusts, should be in no doubt that they’re in the firing line of cyber and financial criminals. In fact, as banks, insurers and larger pension providers harden their defences, the UK’s thousands of small- and medium-sized pension schemes could soon find themselves increasingly threatened with attack.

Pension schemes must prepare for a range of cyber threats

It’s easy to see why. Like many small organisations, pension schemes rarely have all the in-house capabilities and resources they need to protect themselves. Their everyday controls can be rudimentary and staff sometimes lack the experience to identify and halt criminal activity. According to data from The Pension Regulator (TPR), 76 per cent of Master Trusts have already experienced some form of cyber-attack. And across a broader survey of pension schemes, only 16 per cent had all nine of TPR’s recommended controls in place.

Added to this, their reliance on external partners – including sponsor companies, third-party administrators, actuarial consultants, actuaries, banks and payroll providers – can open them up to multiple lines of attack. Outsourcing day-to-day operations should reduce some risks as administrators typically have controls in place, but delegation can also make it hard for trustees to ensure they’re meeting their responsibilities. Accountability for cyber and financial crime resilience sits with the scheme trustees.

This means many pension funds are vulnerable to a range of cyber security issues. Human error can see sensitive data lost or leaked without the proper fail-safes in place. Hacking can have a big impact without robust defences. Phishing attacks can steal information if the right education doesn’t happen. Fraud or money laundering, engineered by insiders, members, member families or external actors, can be expensive when detailed checks aren’t the norm. And bribery and corruption can seep into an organisation that doesn’t have the right culture.

The small size of many pension funds makes the financial and reputational impact of all these forms of cyber-crime worse. It’s tough to absorb the direct costs of crimes such as embezzlement, and difficult to recover from indirect costs like regulatory fines, compensation claims and technology repairs.

Making pensions more cyber resilient

The good news is, there are some simple steps pension funds can take to build their resilience without significant costs. In our experience, these six actions are most valuable:

1. Take a broad, holistic view of potential threats and risks, including thinking about staff, processes, members, external partners and service providers.
2. Assess the potential impact and likelihood of different risks and use this to prioritise responses.
3. Prepare for the worst by creating and rehearsing response plans for incidents such as hacking or fraud.
4. Test controls and get an independent party to simulate failures and assess resilience.
5. Focus on accountability, both in terms of overall governance and specific responsibilities for different risks.
6. Build awareness about risks and responses among staff, members and third-party employees.  

There’s a dual message for pension schemes here: Be alert, but don’t panic.

Pension schemes must be aware of evolving threats and the state of their own defences, and take steps to ensure appropriate resilience. But it’s equally important to realise that the right approach can achieve a major reduction in risk at relatively little cost.