One-quarter of UK pension schemes do not have an adequate cybercrime breach plan, despite the threat being recognised as one the top risks they face, a new survey has uncovered.
The findings from professional services firm Crowe also show that 22% of schemes are failing to properly identify the key operations, IT systems and information flows vulnerable to cyber attacks.
In addition, almost a third said that they had not assessed the cyber vulnerability of their third-party suppliers, and therefore could not attain assurance that risks are being managed appropriately.
Crowe’s researchers also found a “worrying” number of administrators relying on old-fashioned identity verification methods that are highly susceptible to fraud, and that almost half of schemes had not undertaken an independent review of the process for putting member benefits into payments.
“These latest results provide a clear takeaway for the industry: the risk of cybercrime and fraud cannot be ignored and is something that needs urgent remedying,” said Andrew Penketh, national head of pension funds at Crowe.
“Too few pension funds are properly assessing the risks, too many are lacking the expertise to combat cyber attacks, and there is a clear deficit of efficacious fraud prevention procedures put in place across the board.”
Even for those pensions schemes that may have adequately assessed the risk of external threats, dishonest employees can still identify and exploit vulnerabilities.
However, half of the survey respondents said that they had not undertaken an independent review of the process of vetting staff with access to personal member data prior to their appointment.
While awareness of the threat is at all time high, 42% of schemes still did not have access to the specialist skills required to investigate and combat cybercrime, and 59% had not provided cybercrime scenario-based training to trustees.
Jim Gee, head of forensic services at Crowe, highlighted government figures suggesting a 92% increase in incidents of cybercrime since the outbreak of COVID-19, and said that pension schemes are particularly vulnerable.
“They are responsible for rich seams of personal data often collected over many years which is attractive for cyber criminals to steal and attack others,” he continued.
“They are also vulnerable to ransomware attacks because cybercriminals believe that the pressure to continue to make pension payments might induce pension schemes to pay the ransom which has been demanded.
“Trustees need to make sure that their schemes and third party suppliers have the right policies in place, the right training, and access to the right specialist skills. There is no time to waste because when it comes to cyber-attacks, it is not a case of if, but when.”
Image credit: iStock
Author: Chris Seekings