Nearly half of UK pension schemes still do not have insurance against cyber attacks, and a similar proportion are lacking the specialist skills needed to deal with the threat.
That is according to a new report from risk advisory firm Crowe, which surveyed pension scheme trustees on the challenges facing them as fraud and cybercrime levels rise.
Worryingly, 43% of respondents said that they had not tested the strength of their scheme's IT systems, processes and procedures for cybercrime protection, while 47% did not have insurance against cyber attacks.
The survey also found that 42% of pension schemes did not have access to the specialist skills needed to investigate cybercrime incidents – rising to 50% of small schemes – and that 5% had no response plan in place at all.
This is despite cybercrime incidents increasing by 113% between April 2020 and September 2021.
“Fraud and cybercrime are the crimes of the 21st century, accounting for over half of all crimes in England and Wales,” said Jim Gee, partner and national head of forensic services at Crowe.
“With their high volume of payments to members and the amount of personal data held, pension schemes are seen as attractive targets by fraudsters. Trustees need to not only be aware of that fact, but act on it and implement preventative measures to mitigate the threat and impact of an incident.”
Looking at specific challenges, the report highlights member identity theft as a real risk, with 29% of pension schemes failing to use electronic ID verification for UK members.
The danger is even greater with overseas members, as 63% of schemes do not have electronic ID verification set up for them.
Third-party suppliers are another risk area to focus on, with 28% of respondents surveyed having not assessed the vulnerability of their suppliers to cybercrime. That figure rises to 43% for small schemes, and 33% for medium schemes.
Crowe said that trustees could also benefit from further training, with 49% yet to receive scenario-based training on dealing with cybercrime.
“The risk of a cyber attack is more of a ‘when’ than an ‘if’ today,” Gee continued. “Much more needs to be done as the likelihood and sophistication of attacks continue to rise.
“Trustees would be well advised to look further into testing their scheme’s IT processes and systems and they must not neglect supplier risks too. Suitable insurance to cover cybercrime incidents should also be a consideration.”
Image credit: iStock
Author: Chris Seekings