Britain’s computer systems and data are under heightened threat — and pension schemes are no exception to this danger. The Pensions Regulator is increasingly concerned about schemes’ resilience against system or data breaches that put members at risk — caused either by internal failings or malicious actors.
These hostile forces include nation states trying to destabilise the economy, gangs stealing data for ransom and millions of lower-level fraud incidents. Government figures show that roughly four in 10 UK businesses suffer a cyber attack per year.1 Fraud and cybercrime now account for more than half of all crime in the UK.
The threat is growing as cyber criminals become increasingly sophisticated and agile, operating as businesses to target the best prospects for success. At the same time, the pandemic has accelerated the conduct of business online and increased the number of people working from home, making data more vulnerable. There were 1.6 million UK computer misuse offences in the year to March 2022 — up 89% from two years earlier.2
Cyber crime is already targeting UK pension schemes
Pension schemes have been under assault from cyber criminals for some time. In 2022, 42 UK schemes, including those of FTSE 100 companies, reported cyber attacks to the Information Commissioner’s Office3.
TPR has responded to the growing threat by setting out new expectations for trustees in its General Code. The new code states that for pension schemes an effective system of governance, including internal controls, requires measures to reduce cyber risk. It also states that functioning cyber controls will help trustees in complying with data protection legislation and may reduce liabilities in the event of a data breach.
The cost of a cyber attack can be significant — financially, for your reputation and most importantly for your members. The ICO has imposed record fines and criticised well-known companies whose customers’ personal details were seized by hackers.
Internal failings unconnected to crime can also cause severe damage. The Financial Conduct Authority has fined banks tens of millions of pounds for systems failures that locked customers out of their accounts for extended periods. Even leaving aside the regulator’s concerns, the cyber threat is growing — and now is the time to put your house in order. Crucially, this means taking action to prevent cyber incidents but also having processes in place to respond and protect your scheme when a breach occurs.
Pension schemes are attractive targets for cyber attacks
Broadly defined, cyber risk for pension schemes is the risk of loss, disruption or damage to a scheme or its members caused by the failure of its information technology systems and processes. The threat includes risks to information (data security) and assets, and covers internal risks (for example, from staff) and external risks such as hacking or phishing.
Pension schemes may be particularly exposed to cyber risk for the following reasons:
Volume of dataPension schemes process and manage large volumes of personal and financial information that can be misused by hackers or sold on the black market.
Sensitivity of dataThe personal and financial data held by pension schemes is of a sensitive nature that will incur large penalties if compromised. The information that schemes have about members — from bank accounts to dates of birth and personal information — would be extremely valuable if offered on the dark web.
Third-party exposureThe personal and financial data held by pension schemes is of a sensitive nature that will incur large penalties if compromised. The information that schemes have about members — from bank accounts to dates of birth and personal information — would be extremely valuable if offered on the dark web.
Personal responsibilityTrustees are legally responsible for ensuring good governance and protecting their members. TPR’s single code reinforces this responsibility because courts must take codes of practice into account, which is not the case with the current guidance5.
Loss of assetsMillions of pounds move regularly between schemes and member bank accounts, creating opportunities for criminals to steal money.
Regulatory penaltiesThe ICO has powers to impose large fines on organisations that allow their computer systems to be breached.
Cost of response
A severe data breach triggers a chain of significant spending on actions such as:
- repairing systems that have broken down or been attacked
- a forensic investigation to determine the cause of the incident
- any redress due to members
- legal and public relations fees
- keeping members informed (for example, with a call centre)
Reputational costLarge data breaches that affect consumers attract headlines that are damaging for the company and its management. This negative publicity is often prolonged by regulatory fines. Trustees’ reputations may also be affected if the scheme has not taken sufficient action to protect members’ data.
Placing cyber protection at the top of your governance agenda
Faced with the increased risk of a cyber incident and the potential consequences if one occurs, it’s time to put cyber security at the top of your scheme’s governance to-do list.
We are already helping schemes protect themselves. Together with our sister company Marsh, Mercer can provide an unparalleled range of services to make your scheme resilient against a cyber incident and prepared if the worst does happen.
Here are some key initial questions you should ask as you consider your next steps:
- Where are your weakest links and are you aware of any potential exposure to cyber risk?
- Do you have a response plan to use if your scheme or a key supplier comes under cyber attack?
- Do your procedures need to be updated to reflect challenges created by remote working?
- When did you last ask your service providers and advisers if they have updated their cyber policies or provided mandatory training for employees?
Pension schemes are vulnerable to cyber-attacks due to the large amount of assets and personal data they hold, as well as frequent financial transactions between stakeholders. Because of this, cyber risk for pension schemes is a topical and rapidly evolving area and is one of the growing threats to the security of members’ benefits.
The Pensions Regulator has set expectations for trustees to consider how well schemes are protected against cyber risk. This is becoming a greater focus area in the new Code of Practice. Therefore it is ever more important that trustees consider, test and improve the cyber resilience of their schemes.
As this is a relatively new and developing area for pension schemes, many trustees are struggling to know where to start the conversation or what actions they need to take. We can help - speak to a specialist today.
1 Department for Digital, Culture, Media & Sport. Cyber Security Breaches Survey 2022. 2022
2 Office for National Statistics. Crime in England and Wales: Year Ending March 2022. 2022
3 ico. Disclosure IC-168413-Z9R6
4 UK Suffers Third Highest Number of Ransomware Attacks Globally, Computer Weekly, September 28, 2022
5 Stephenson Harwood, pensions law group. Cybersecurity: is your pension scheme prepared for the expected? Fail to prepare: prepare to fail.
Before you access this page, please read and accept the terms and legal notices below. You’re about to enter a page intended for sophisticated, institutional investors only.
This content is provided for informational purposes only. The information provided does not constitute, and should not be construed as, an offer to sell, or a solicitation of an offer to buy, any securities, or an offer, invitation or solicitation of any specific products or the investment management services of Mercer, or an offer or invitation to enter into any portfolio management mandate with Mercer.
Past performance is not an indication of future performance. If you are not able to accept these terms and conditions, please decline and do not proceed further. We reserve the right to suspend or withdraw access to any page(s) included on this website without notice at any time and Mercer accepts no liability if, for any reason, these pages are unavailable at any time or for any period.