Pension scheme trustees should prepare for rising cyber-crime, says RSM UK

RSM UK is highlighting the importance of cyber risk awareness among pensions trustees ahead of the Pensions Regulator’s new Singular Code, anticipated this Summer. 

Recent research published by RSM highlights that, despite a significant increase in cyber-attacks, the number of businesses that think they are likely to fall victim has fallen. According to RSM UK’s ‘The Real Economy’ report, over a quarter (27 per cent) of businesses have experienced a cyber-attack in the past year, up from one in five (20 per cent) last year. Yet despite the increased risk, the number of businesses that felt they are ‘very likely’ to fall victim to a ransomware attack has fallen significantly, from 34 per cent in 2021 to just 24 per cent this year.

Research by Aon last year suggests pension scheme providers in particular need to do more to protect schemes. According to its report, only 2 in 5 occupational pension schemes have a robust incident response plan in place. More worryingly, over 60 per cent of schemes have not assessed the potential financial impact of a cyber-attack, and only 2 per cent have a cyber insurance policy in place. 

Ian Bell, Head of Pensions at RSM UK says: ‘Pensions schemes are a particularly attractive target for cybercriminals, due to the value of funds they protect and the large amounts of sensitive member data they hold. Trustees need to have a full understanding of their cyber footprint, which third parties hold their data and what measures are in place to protect it. Pensioners or elderly members can often fall victim to phishing attacks, as they may be less familiar with technology and the methods of deception deployed by fraudsters. Older people are also more likely to suffer from illnesses that impact their cognitive reasoning, such as dementia, making them potentially vulnerable to exploitation by cyber criminals, who seek to deceive them into transferring their funds - either with promises of higher returns, or claims that their pension fund needs to be moved to ‘protect’ it.’ 

Pension schemes trustees should also be aware of the increased risk of Ransomware attacks. These attacks, where hackers either steal or encrypt data, then hold a business to ransom for it, have escalated 100 per cent since the pandemic, according to the Information Commissioner’s Office (ICO). They are expected to rise further in future, partly due to changing external events such as inflation increases, volatile financial markets and the current Russia-Ukraine situation. 

Ian Bell said: ‘We’d urge all pensions scheme trustees to review their cyber security strategy now and ensure any areas that could be improved are addressed promptly, as the risk of ransomware attacks and other cyber security risks has increased in the current climate. The Pensions Regulator outlines how it expects trustees to behave in relation to cyber risks, so trustees who are unsure of their responsibilities should refer to this guidance and also the requirements of the new singular code, due this Summer. Pensions providers should also do all they can to support older people and help them understand the risks and methods deployed by fraudsters so they can avoid falling victim.’

Leading researchers for the cyber economy, Cybersecurity Ventures predict that by 2031 ransomware will cost victims $265bn a year, with an attack expected to take place every 2 seconds, up from every 11 seconds in 2021.

In recent weeks, data extortion group LAPSUS$ has shown how teenaged cyber criminals with little financial resources can extort data from large companies including Microsoft, NVIDIA and Samsung. With such sophisticated and high-profile technology companies, who invest significantly in cyber security, still coming under threat, all businesses must remain vigilant to the threat of cyber-attacks.

Cyber-crime is now so prevalent that Ransomware is even available to buy as a service, more commonly known as RaaS (ransomware as a service). Criminal syndicates offer ransomware to would-be attackers, meaning quite often these criminals require very little technical knowledge to carry out an attack. This has increased the number of attacks that are possible exponentially. The current Russia-Ukraine situation means the threat of an attack, particularly on financial service organisations, is increased, as state sponsored groups carry out APTs (advanced persistent threats).

Tips to prevent a cyber-attack:

  • Educate pensions trustees so they have a clear understanding of cyber risks.
  • Keep all operating systems and software up to date to ensure the latest security patches are installed. This includes monitoring the processes adopted by third party providers.
  • Ensure all systems are set up to automatically apply security updates.
  • Back up all data, and ensure the backups are routinely tested for recoverability.
  • Encrypt any data deemed as confidential, personal or commercially sensitive.
  • Ensure all individuals involved in handling data are educated to spot and report any possible threats or attacks.
  • Use strong, complex passwords and multi-factor authentication.
  • Ensure any online customer transactions are secure.
  • Risk assess the need for specialist third party support or cyber insurance.
  • Drive a strong security and awareness culture.
  • Ensure that trustee email addresses are secure or utilise addresses provided through the sponsoring employer’s system.