With Cyber Security Awareness Month behind us, now’s the perfect time to reflect on the evolving landscape of cyber security, especially in relation to pension schemes.
Recent incidents have shown robust cyber security measures can't be underestimated, especially as cyber threats continuously evolve and become increasingly sophisticated and targeted. A serious cyber incident can generate significant operational costs, legal consequences and reputational damage.
Cyber Security Awareness Month and the scale of the issue
Cyber Security Awareness Month is an annual international initiative to educate individuals and organisations about the importance of protection from cybercrime. Awareness is a powerful tool, and upon the initiative ending for another year, now is an opportune moment for us to reflect on the scale of the issue. According to the UK Government's Department for Science, Innovation and Technology's Cyber Security Breaches Survey 2024, some 74% of large businesses report having experienced some form of cyber security breach or attack in the last 12 months. IBM's annual Cost of Data Breach Report 2024 suggests the global average cost of a data breach in 2024 is £3.7m, marking a 10% increase over 2023, and the highest total ever recorded in their study. Nevertheless, we should remain acutely aware the costs can be far higher.
To put this into perspective, rarely a day goes by without media coverage of significant ongoing cyber attacks against a wide range of organisations.
For example, during October, the Internet Archive, a nonprofit digital library, confirmed its third security breach of the month, while the genomics company 23andMe settled a $30 (£23m) million lawsuit relating to the data breach they suffered last year.
Furthermore, Microsoft published its alarming Digital Defense Report 2024 report in October, stating the world faces more than 600 million cyber-attacks every day. Generative AI is contributing to the increased sophistication and success rate of these attacks. The report also highlights the persistent role of cyber operations in broader geopolitical conflicts.
Pension schemes, which manage vast amounts of sensitive personal and financial data, have become prime targets for cybercriminals. The threat landscape has expanded significantly, with cyberattacks ranging from phishing and ransomware to sophisticated data breaches. These attacks can lead to substantial financial losses, identity theft, and a loss of trust among scheme members.
Key risks to pension schemes
- Data breaches: Unauthorised access to sensitive data can result in the exposure of member's personal information, leading to identity theft and financial fraud as well as potential repercussions as data controllers/processors from the Information Commissioner's Office (ICO)
- Ransomware attacks: Cybercriminals can cripple systems, encrypt sensitive data and demand a ransom for its release, disrupting operations. The tactics used during ransomware attacks have also shifted in the last few years to include exfiltration of data, ramping up the pressure to make payments
- Phishing and social engineering: Fraudulent communications designed to trick individuals into revealing personal information, credentials or the download of malware can compromise the security of pension schemes
- Insider threats: Employees or contractors with access to sensitive information can pose a significant risk if they misuse their access, either intentionally or unintentionally
Six months on from the introduction of the general code
The adoption of new cyber controls and processes stipulated in The Pensions Regulator's (TPR's) general code of practice has been a significant focus for pension schemes during 2024.
Many were on this journey in advance of the new General Code's official launch, while others have since been working hard to meet the new expectations and build well thought out and appropriate cyber policies, processes, and controls covering trustees as well as key suppliers. Nevertheless, building this resilience has been challenging for some. Areas of difficulty have included:
- Varied levels of readiness: Pension schemes vary widely in their readiness and ability to implement new cyber controls and robustly designed governance processes. Larger schemes with more resources have generally been quicker to adopt these measures, while smaller schemes may face more challenges due to limited resources, expertise and understanding of an appropriate response
- Compliance and implementation: TPR has outlined clear expectations for cyber security, including the need for robust internal controls, regular assessments of the supply chain, and comprehensive incident response plans. While many schemes have made substantial progress in aligning with these requirements, some are still in the process of fully integrating these controls and processes into their operations
- Ongoing education and training: Regular education and training is critical for maintaining adequate awareness and ensuring all stakeholders understand their roles in cyber security. This has been an area of ongoing development, with schemes working to improve awareness and preparedness among trustees and to fully understand the controls and processes at their key suppliers
- External support and expertise: Many pension schemes have sought external support to meet the new requirements. Where boards have lacked cyber insight and expertise, many have engaged with external experts to focus strategic thinking. This has helped bridge gaps in knowledge and resources. Sponsoring employer's security teams can also provide great resource and knowledge, but trustees need to clearly understand the risks from the scheme's perspective
How can Administrators support raising cyber resilience?
- Regular training and awareness programs: Continuous education for employees and stakeholders on the latest cyber threats and best practices is essential. Everyone has their part to play. This is particularly important as phishing and social engineering remain a key method for deploying attacks
- Incident response planning: Unfortunately, there's no silver bullet to keep an organisation 100% protected from cyber-attacks. Therefore, being prepared and able to respond effectively during an incident is critical and will significantly reduce the impact. Having a well-defined incident response plan ensures cyber incidents can be quickly and effectively responded to. Hosting collaborative cyber incident scenario training with schemes can really help to evidence processes and continuity planning in advance of an incident, while establishing roles and responsibilities
- Regular security assessment: Conducting regular security and vulnerability assessments will help identify and address potential weaknesses in systems and processes. Sharing evidence of this with schemes is an important aspect of maintaining checks and balances. It will also help Trustees comply with TPR's expectations
- Keeping up-to-date with technological advancements: Technological advancements are essential for protecting beneficiaries from cyber-enabled fraud. Utilisation of tools like biometric checks can be crucial to raise the robustness of controls and counter new developments in technology threat actors are exploiting, such as artificial intelligence and deepfakes. Administrators have a key obligation to protect members and ensure the correct individual receives the correct payment at the correct time
Conclusion
Cyber Security Awareness Month once again played a crucial role in highlighting continued risks and promoting best practices to mitigate them. Throughout October, organisations focused on educating employees and stakeholders about the importance of cyber hygiene, such as using strong passwords, recognising phishing attempts, and regularly updating software.
While the journey for many schemes towards full compliance with TPR's cyber security guidelines is ongoing, significant strides have been made. The focus on continuous improvement, education, and leveraging external expertise is helping pension schemes enhance their cyber resilience. As cyber threats continue to evolve, maintaining vigilance and adapting to new challenges will be key to safeguarding the interests of pension scheme members.
Administrators play a crucial role in maintaining security and shouldn't underestimate their responsibility in helping trustees fully understand the processes and controls established and being developed to build and maintain resilience within the supply chain. A key aspect of this is ensuring suppliers also meet the expectations set for trustees and can clearly evidence this.
Tim Robinson is chair of the Pensions Administration Standards Association's cybercrime and fraud working group and a forensic services partner at Crowe UK
