Could your retirement savings and investments be vulnerable to a cyber attack? The bad news is that most likely the answer is yes, almost certainly.
Think of the data held online by the occupational pensions sector (accounting for £3 trillion in assets): names, dates of birth, bank details, national insurance numbers, and more.
It’s a hacker’s dream. Particularly when you factor in that the pensions industry has been slower than other financial services sectors in addressing these kinds of attacks. There are all sorts of possible reasons for this state of affairs. One might be that scheme trustees believe other parties (e.g. scheme administrators) hold primary responsibility for cyber security. Another possible factor is that regulators have been accused of not prioritising the issue of cyber security enough.
Whatever the reasons, it’s no surprise, therefore, that leading financial companies have predicted that cyber security will be one of the leading issues faced by pension technology in 2017.
There are some important developments on the horizon, that you as a pension holder will likely want to be aware of. One is the EU’s new GDPR which is coming into effect in the UK in May of next year (General Data Protection Regulation). This will apply stringent new regulations surrounding the handling and protection of personal data, which will also apply to pension schemes.
How Might A Cyber Attack On Your Pension Occur?
However, even with the GDPR coming into effect, pension holder and those seeking pension advice need to be aware of the risks. Pension schemes need to take vigilant action to prevent a cyber attack which might have devastating effect upon their clients’ finances.
A cyber attack can take a number of forms. It might involve a security breach, where your banking details are stolen. It might involve use of fraudulent transfer requests, which lead to a loss of assets. This latter scenario might occur over the course of many years, going unnoticed and undetected until the pension scheme member seeks retirement.
Hackers and cyber criminals are well aware of the sinister “opportunity” presented to them by pension schemes. Don’t assume this is the stereotypical, hormonal teenager messing around on their laptop in his or her bedroom.
Indeed, many cyber criminals operate in highly organised groups, working together in a clandestine, almost business-like structure. One person or team might be assigned to identifying new attack opportunities, whilst others might be dedicated to assessing the monetary prize potential and target resilience.
Remember, cyber criminals only need to make one successful raid on a pension scheme to cause eye-watering, life-shattering damage to many people’s lives. Fortunately, at the time of writing there has been no major attack publicised on a pension scheme. The latter should therefore take the opportunity to take sensible, preventative measures. If they are worried about short-term losses today, they should be even more mindful of the more horrendous situation a successful attack would produce later on.
What Can Be Done?
Acting now takes several forms. The first step forward is for pension schemes to raise the issue of cyber security higher up on their agendas. The matter should be discussed alongside other business-critical matters such as budgets, deficits and investment strategies.
Another important step is to ensure that adequate, up-to-date IT policies and procedures are in place should the scheme find itself the victim of a cyber attack. There needs to be resilient communication protocols in place as well, ensuring that coordinated, swift action is taken to protect client assets and personal data. Moreover, staff and those involved in the scheme’s administration should all receive appropriate training, so they are equipped to handle a cyber attack and stay ahead of hackers.
Scheme administrators play an absolutely crucial role in protecting against cyber attacks. Indeed, regular questions need to be asked of such teams:
- Are they aware of the risks surrounding cyber, and what preventative measures have they taken?
- Are their IT infrastructure and systems closely monitored? Are these subject to regular, rigorous testing for attack vulnerability?
- Is there an established scheme for incident management?
- Is there a culture of staying up to date, and complying with, industry best practice?
- Are there clear, resilient governance structures adequately set up?
- Are they appropriately certified (e.g. the UK government’s Cyber Essentials Scheme).
It will also be important for pension scheme to carefully review and monitor their third party relationships. After all, hackers often like to focus their attacks on a target’s supply chain.
The frightening reality is, once an attacker gets through the wall, they can wait undetected within the system for long periods of time – waiting for the optimal, opportune moment to strike. When this eventually happens, control of the system is seized. The trustees of the pension scheme might then be threatened with a system shut down unless they yield to the hackers’ demands.
Think of how much havoc would be wreaked if a cyber attack like this happened just prior to payroll…