When I started my career in pensions, which was of course what I had aspired to throughout my school days 😊, the buzz words in the office or at trustee meetings would seem very strange today – words like “surplus”, “contribution holiday” (any holiday would be welcome at the moment!) and “Old IR limits” – yes, there were limits back then too! For some joining the industry after me there would be “equalisation”, “salary cap” and “A Day”.
Fast forward to the very weird, and sometimes also wonderful world of lockdown and social distancing, and you will find the language of “GDPR” and “cyber security”. It’s all a long way from internal mail and microfiche, more like something you’d hear in a sci-fi movie. But cybercrime is really happening, and it could in fact be happening somewhere very close to you!
Sought after data
Over the years, as pensions administration has moved from a paper based or record card industry to being almost fully digitised, it has become an industry rich in personal data that fraudsters would dearly love to get their hands on. Take a moment to think about it; names, dates of birth, NI numbers, bank details and addresses, all held in one convenient place for thousands or even millions of people. All data which, if falling into the wrong hands, could have catastrophic consequences – both financial and reputational.
The use of laptops, external drives and other forms of removable storage media and devices has increased over the years, a trend accelerated by the move to home working as a result of the pandemic. However, a consequence of living in this era of digitalisation and portability is an increased risk of data loss.
Cyber security should now be something which is embedded into the risk register of all Trustee Boards, and discussed regularly with those who control and process scheme data. This should go further than simply asking for confirmation that a cyber security policy is in place. Evidence should be sought that this policy is robust, is tested and is fit for purpose. It is concerning that a recent survey by leading audit firm Crowe (Crowe Risk Management Report 2020) found that a quarter of schemes do not have an adequate cybercrime breach plan in place.
As the way in which many scheme members now access their records moves online, with greater levels of automation and self-serve, so the risks attached to this increase, as the data is now out in the public domain and at the mercy of criminals. Cybercrime has risen quickly up the list of risks for pensions organisations because of the level of sophistication being employed by criminals. As quickly as the level of security develops and evolves, the cyber criminals will work to find ways to penetrate that security. A recent Information Commissioner’s Office (ICO) report (PASA Cybercrime Guidance November 2020) showed that of 158 breaches reported since the inception of GDPR, at least 43 were categorised as relating to Security, Unauthorised access or Phishing. For anyone who thinks that cybercrime is something that only happens in other industries or countries, this report should quickly dispel that thought.
For all organisations there are now increasing costs associated with guarding against cybercrime. There are layers of protections in place to pick up all forms of potential attacks; these will have initial upfront plus ongoing costs. One area you can’t put a cost on is the reputational damage that would arise were your defences to be breached and data lost or stolen. Let’s hope you never have to quantify this.
Types of risk
The type of risks which we are having to guard against nowadays are varied. They can occur externally, internally (including accidentally) or through supplier chains. While we can mitigate against all of these, one that is most certainly within our own grasp to control is the accidental risk to which our own staff are vulnerable. This covers areas like weak passwords or enabling malicious content by clicking on a link or attachment, which can easily be done on any given day. In fact, this last point contributes to more security breaches than anything else. The industry is making tremendous efforts to guard against these risks by educating staff about what to watch out for and guard against. Bodies like PASA, PRAG and The Pensions Regulator have helped by issuing very useful Guidance on the matter. Ultimately, however, it only takes one lapse or moment of weakness for all the good work to be undone.
The widespread change in working patterns over the last 12 months has not helped matters. At the time most organisations were embedding cyber security policies into their processes almost all staff were office based. These policies now need to cover the risks associated with home working, which in some cases will now be permanent. Recent government statistics (Professional Pensions 19 February 2021) show that there has been a 92% increase in incidents of cybercrime since the pandemic started; a stark reminder to us all that this risk is real.
So, going back to where we started and matters for discussion at trustee meetings. While the pandemic has brought issues such as strength of covenants and scheme funding levels to the fore, it should also have brought about proper scrutiny of a scheme’s cyber defences and wider information security policy. Don’t say you weren’t warned!