Cybercrime is big business and it’s growing. Is your scheme adequately protected in the event of an attempted cyberattack? Our publication Taking action on pension scheme cybersecurity set out the main cyber threats and outlined the steps that trustees could and should take to protect their schemes’ and members’ interests. It should be read in conjunction with this note. This briefing looks at the Regulator’s draft General Code and its recent statement in response to a highly publicised pensions data breach and sets out some actions trustees should consider taking to protect their schemes from this increasing risk.
Cybersecurity – why is it essential?
Pension scheme trustees have been aware of the need for cybersecurity for some time now. Cybersecurity means protecting your electronically secured data, and the IT systems used to process that data, from unlawful outside interference, access or use. At the time of the lockdown during the Covid pandemic, “conventional” crime was hugely reduced but the level of cybercrime exploded – that threat has not receded. In the 12 months ending September 2022, almost half of all crime committed was cybercrime or fraud. In the UK, organisations and individuals are now two and a half times more likely to suffer fraud or cybercrime than any other crime. In the same period, some 44 pension schemes reported successful cyber-attacks to the Information Commissioner’s Office (ICO).
The upshot is that trustees clearly need to be on their guard. In the pension scheme context, cybersecurity breaches can include:
- Hackers gaining access to trustees’ or administrators’ computer systems.
- The introduction of a virus or malware.
- Human error by someone processing data incorrectly – for instance, by sending member details to the wrong email address.
What makes pension schemes such attractive targets, and therefore more vulnerable to a data breach?