The Pensions Administration Standards Association is launching an information sharing network which will collect and share cyber and fraud incidents on an anonymous basis to spot trends, warn of evolving threats and offer examples of how incidents can be dealt with. 

The Cyber and Fraud Information Sharing Network was launched by PASA on Tuesday. Tim Robinson, a partner at law firm Crowe who chairs PASA’s cybercrime and fraud working group, said the group is still recruiting members with risk management and risk governance expertise, as well as there being a role for a senior leadership member.  

Robinson highlighted the stats behind cybercrime and fraud, which now make up 41% of all crime – and possibly as much as half – having been turbocharged during the pandemic as much economic activity moved online. Cybercrime and fraud continue to grow, at a 175% rate since 2022, further fuelled by the advent of artificial intelligence. The International Monetary Fund estimates that such crime will cost $23tn (£17tn) globally by 2027. 

Recent high profile attacks have affected Marks & Spencer, the Co-op and in the pensions space, administrator Capita, which was fined £14m last year after some data was accessed by hackers. 

The key difference between attacks on companies like M&S and pension firms is that customers can buy their food somewhere else, said Robinson, but they cannot immediately port their pension from a targeted provider or administrator. Members could see impacts ranging from delayed payments, retirements and death processing, to the loss of sensitive data such as national insurance numbers or bank details. 

The recovery from a cyber incident tends to be costly and time-consuming, with a forensic investigation probably having to be followed by the creation of new controls and processes. Firms that have fallen victim might also face fines or even legal action by affected consumers and third-parties, as well as damage to reputation and trust.

Similarly, fraud is an ongoing and evolving threat, suggested financial risk management lead at Hymans Robertson, Gillian Baker. The most recent attemps are increasingly impersonations and fake death certificates, often linked to South Africa, which the Pensions Regulator also recently warned of.

Family fraud appears to be a regular issue – a pensioner’s next of kin might not notify a scheme of a death and benefit from their pension payments, with overpayments difficult to recover, or family members might take advantage of vulnerable pensioners through power of attorney. Vulnerable customers can also fall victim to scams and rogue IFAs. Lastly, Baker said there is a risk of internal fraud, where an employee takes data, for example.

Fraud is not limited to one victim - “speed matters” to fraudsters who work on a ‘rinse and repeat’ basis, said Railpen chief information security officer Shaun Roberts.

“The question is not if attacks will target others; it’s if organisations are warned in time,” he said.

Roberts noted that other sectors – including finance, health and energy – already have similar information sharing networks.

The network is needed, it seems; one person in the audience at Tuesday’s launch said they were unable to tell worried clients whether an incident like the Capita hack could have happened at their firm because the Pensions Regulator declined to reveal details, saying they are confidential to Capita.

There will be a launch webinar on 8 May for anyone interested in the information sharing network.