A well-known pensions administrator has recently been the victim of a ransomware attack, and a third of all businesses reported a breach in 2019. With vast amounts of personal data held by funds and administrators, how can trustees minimise if not eliminate the risk? 

 

 

The most common methods through which hackers were able to gain access to organisations last year were phishing, impersonating other organisations, and malware including ransomware.  

 

Medium and large businesses are more at risk, and most scheme administrators fall into that category.  

 

But it is not just member data that can be hacked; the Pensions Management Institute, one of the largest member organisations in the industry, also reported a breach earlier this month, saying that a staff member’s Outlook email account had been hacked. 

 

“The attack was sophisticated with the perpetrator using a VPN through a Manchester data centre to gain access to the individual's email inbox. Once inside, they were able to see a number of member and other stakeholder email addresses,” the PMI said about the breach. 

 

Obtaining email addresses allows the perpetrators to target relevant people even better through phishing, ‘spear phishing’ - more targeted scams – and ‘whaling’, where the most senior people in an organisation are being targeted, explained Mike Selby at digital pensions service provider Mantle during a webinar organised by sister firm Spence & Partners on Tuesday. 

 

 

“What these online threats are looking for is the low-hanging fruit. They are doing their very best to sweep up as much low-hanging fruit as possible,” said Selby. “They don’t mind which financial services companies they snag in their nets, they just want to get some... they find a way in, in surprisingly automated ways.” 

 

It is therefore key to avoid being that ‘low-hanging fruit’, he said – not just on professional accounts and hardware, but also personal ones, by securing them with different passwords for example and ensuring security programmes on all devices are up to date. 

 

Since most trustees are lay people when it comes to cyber security, they should ensure at least one of their suppliers is able to provide education “in quite a bit of detail, tailored to lay people”, said Selby. 

 

If an organisation does find it has been attacked, “tell somebody immediately”, he advised, stressing the importance of this. “The watchword is, just report it,” Selby said. “Not reporting it is where these problems proliferate.” 

 

As a bare minimum, trustees need to be running up to date software, agreed Brian Spence, founder of Spence & Partners. “Anyone who does not have an up to date version of Windows X that is subject to auto-patching is a bit of a risk,” he added. 

 

As well as being up to date with all software, trustees and suppliers should have a firewall and two- factor authentication via their mobile, he said, and use strong passwords that are different for each account. 

 

 

Sean Burnard, a director at trustee firm Law Debenture, compared online security with the securing of a building that has locks, security guards and perhaps a safe as well, where only people with the right credentials can gain access. “I advocate taking a common sense approach, in a bid to make what is an enormous topic accessible,” he opined. 

 

“What's important also is where your data is held, constrain your resources and time on that. Your administrator is probably the most important to consider,” he added. 

 

As trustee boards don’t normally have the knowledge or experience to deal with cyber security, they tend to employ specialist advisers to run phishing simulations and provide training – although these experts “sometimes can’t talk the language, that’s been a bit of a barrier sometimes, but some providers have figured that out”, he noted. 

 

Covid-19 and the rise of remote working has made it even more important to have the right checks and processes in place, said Burnard. He said trustees “need to be prepared by getting people training, and for things like ransomware. You need to have a governance process in place, so that if it happens you know who to contact”. 

The process for escalating issues should be documented, including when to get in touch with the Information Commissioner’s Office, the police and scheme members. 

 

Burnard named the National Cyber Security Centre’s ‘10 steps to cyber security’ as a good starting point, and said a certification like Cyber Essentials “is good, but there are better things to have”, like ISO27001, which he believes is “feasible for big firms”. 

 

 

One big firm that has obtained ISO/IEC27001:2013 is master trust Nest, which last year published a report on cyber security together with RPMI Railpen. 

 

Nest has not observed a significant increase in suspicious cases, said its chief risk officer Dan Davis, but it maintains a close programme of monitoring. 

 

“As an online-first scheme we are acutely aware of the risks presented by cyber criminals. We have comprehensive processes in place to reduce the risk of such attacks. These processes are kept under constant review and updated frequently,” said Davis, noting that while companies cannot stop every attack from occurring, preparedness and operational resilience are key. 

 

He wants to see more campaigns to educate and raise awareness, similar to the ScamSmart campaign undertaken jointly by the Pensions Regulator and the Financial Conduct Authority. “The industry needs to do more of this, working together to help coordinate the battle against scammers and drive knowledge to the consumer to help protect them against being scammed,” the spokesperson said. 

TPR should be able to raise awareness, although its executive director of regulatory policy, analysis and advice, David Fairs, has previously admitted that the regulator lacks the skills to provide guidance on the matter, which instead tends to come from the ICO and the NCSC. The Pensions Administration Standards Association also offers some guidance on cyber security. 

 

Sean Burnard

Brian Spence