Is your pension scheme cyber risk ready? 

Cyber risk for pension schemes is a real threat. Are you prepared?

Britain’s computer systems and data are under heightened threat — and pension schemes are no exception to this danger. The Pensions Regulator is increasingly concerned about schemes’ resilience against system or data breaches that put members at risk — caused either by internal failings or malicious actors.

These hostile forces include nation states trying to destabilise the economy, gangs stealing data for ransom and millions of lower-level fraud incidents. Government figures show that roughly four in 10 UK businesses suffer a cyber attack per year.1 Fraud and cybercrime now account for more than half of all crime in the UK.

The threat is growing as cyber criminals become increasingly sophisticated and agile, operating as businesses to target the best prospects for success. At the same time, the pandemic has accelerated the conduct of business online and increased the number of people working from home, making data more vulnerable. There were 1.6 million UK computer misuse offences in the year to March 2022 — up 89% from two years earlier.2

Watch our video to find out what you need to know and what your first steps should be on your journey to becoming cyber risk ready.

Learn more about other pension scheme risks - DEI and climate.

Cyber crime is already targeting UK pension schemes

Pension schemes have been under assault from cyber criminals for some time. In 2022, 42 UK schemes, including those of FTSE 100 companies, reported cyber attacks to the Information Commissioner’s Office3.

TPR has responded to the growing threat by setting out new expectations for trustees in its General Code. The new code states that for pension schemes an effective system of governance, including internal controls, requires measures to reduce cyber risk. It also states that functioning cyber controls will help trustees in complying with data protection legislation and may reduce liabilities in the event of a data breach.

The cost of a cyber attack can be significant — financially, for your reputation and most importantly for your members. The ICO has imposed record fines and criticised well-known companies whose customers’ personal details were seized by hackers.

Internal failings unconnected to crime can also cause severe damage. The Financial Conduct Authority has fined banks tens of millions of pounds  for systems failures that locked customers out of their accounts for extended periods. Even leaving aside the regulator’s concerns, the cyber threat is growing — and now is the time to put your house in order. Crucially, this means taking action to prevent cyber incidents but also having processes in place to respond and protect your scheme when a breach occurs.

Pension schemes are attractive targets for cyber attacks

Broadly defined, cyber risk for pension schemes is the risk of loss, disruption or damage to a scheme or its members caused by the failure of its information technology systems and processes. The threat includes risks to information (data security) and assets, and covers internal risks (for example, from staff) and external risks such as hacking or phishing.

Pension schemes may be particularly exposed to cyber risk for the following reasons:

  • Volume of data
    Pension schemes process and manage large volumes of personal and financial information that can be misused by hackers or sold on the black market.
  • Sensitivity of data
    The personal and financial data held by pension schemes is of a sensitive nature that will incur large penalties if compromised. The information that schemes have about members — from bank accounts to dates of birth and personal information — would be extremely valuable if offered on the dark web.
  • Third-party exposure
    The personal and financial data held by pension schemes is of a sensitive nature that will incur large penalties if compromised. The information that schemes have about members — from bank accounts to dates of birth and personal information — would be extremely valuable if offered on the dark web.
A further reason for criminals to target pension schemes is that a large proportion of schemes are not as resilient against cyber attacks as they should be. Many schemes also have high-profile parent organisations with valuable brands they want to protect.

Threats and risks posed to schemes by cyber crime

Cyber crime threatens all aspects of a pension scheme’s operations — from payment of benefits to the scheme’s assets. The main types of cyber threats for UK pensions schemes include:
  • Ransomware

    Systems or data are encrypted by the attacker using software to force payment of a ransom. Ransomware is the biggest threat to UK organisations’ data and surveys suggest the UK is subject to one of the highest rates of ransomware attack globally4.
  • Data theft

    Information is subject to unauthorised access — for example by exploiting an unpatched vulnerability in a system and taking a copy. Pension schemes have information about members that would be extremely valuable for sale on the dark web. 
  • Cyber enabled fraud

    Data is used to steal personal details and potentially commit fraud.
  • Denial of service

    A system or website is subject to a sustained attack which stops it being used.

Read our report on cyber.

Cyber risk is a rapidly increasing threat for all UK organisations - including pension schemes. Read our report to understand the risks, how to prepare and what key steps trustees should take now.
The potential consequences of a cyber attack are severe and far-reaching for a scheme, its trustees and parent company. They include:
  • Personal responsibility
    Trustees are legally responsible for ensuring good governance and protecting their members. TPR’s single code reinforces this responsibility because courts must take codes of practice into account, which is not the case with the current guidance5.
  • Loss of assets
    Millions of pounds move regularly between schemes and member bank accounts, creating opportunities for criminals to steal money.
  • Regulatory penalties
    The ICO has powers to impose large fines on organisations that allow their computer systems to be breached.
  • Cost of response

    A severe data breach triggers a chain of significant spending on actions such as:

    • repairing systems that have broken down or been attacked
    • a forensic investigation to determine the cause of the incident
    • any redress due to members
    • legal and public relations fees
    • keeping members informed (for example, with a call centre)
  • Reputational cost
    Large data breaches that affect consumers attract headlines that are damaging for the company and its management. This negative publicity is often prolonged by regulatory fines. Trustees’ reputations may also be affected if the scheme has not taken sufficient action to protect members’ data.

Placing cyber protection at the top of your governance agenda

Faced with the increased risk of a cyber incident and the potential consequences if one occurs, it’s time to put cyber security at the top of your scheme’s governance to-do list.

We are already helping schemes protect themselves. Together with our sister company Marsh, Mercer can provide an unparalleled range of services to make your scheme resilient against a cyber incident and prepared if the worst does happen.

Here are some key initial questions you should ask as you consider your next steps:

  • Where are your weakest links and are you aware of any potential exposure to cyber risk?
  • Do you have a response plan to use if your scheme or a key supplier comes under cyber attack?
  • Do your procedures need to be updated to reflect challenges created by remote working?
  • When did you last ask your service providers and advisers if they have updated their cyber policies or provided mandatory training for employees?

Pension schemes are vulnerable to cyber-attacks due to the large amount of assets and personal data they hold, as well as frequent financial transactions between stakeholders. Because of this, cyber risk for pension schemes is a topical and rapidly evolving area and is one of the growing threats to the security of members’ benefits.

The Pensions Regulator has set expectations for trustees to consider how well schemes are protected against cyber risk. This is becoming a greater focus area in the new Code of Practice. Therefore it is ever more important that trustees consider, test and improve the cyber resilience of their schemes.

As this is a relatively new and developing area for pension schemes, many trustees are struggling to know where to start the conversation or what actions they need to take. We can help - speak to a specialist today.

1 Department for Digital, Culture, Media & Sport. Cyber Security Breaches Survey 2022. 2022
2 Office for National Statistics. Crime in England and Wales: Year Ending March 2022. 2022
3 ico. Disclosure IC-168413-Z9R6
4 UK Suffers Third Highest Number of Ransomware Attacks Globally, Computer Weekly, September 28, 2022
5 Stephenson Harwood, pensions law group. Cybersecurity: is your pension scheme prepared for the expected? Fail to prepare: prepare to fail.

Related products for purchase
Related events
Related solutions
Related insights