Why pensions schemes are ‘attractive targets’ for cyber criminals

The CrowdStrike outage this summer provided another reminder for trustees of the importance of contingency plans in case of technology issues.

Richard Pettit, partner in the pensions and lifetime savings department at law firm Burges Salmon, said the CrowdStrike outage that affected global online systems this summer provided a stark reminder to the pensions industry of the importance of cyber security for its schemes and stakeholders.

The global outage in July, which was traced back to an issue with an update from cybersecurity firm CrowdStrike, affected trading desks, banks, healthcare companies and airlines among others.

It followed a Capita cyber security incident last year that hit schemes including the Universities Superannuation scheme, and the BBC’s cyber security incident in May this year.

Burges Salmon’s Pettit said: “The pensions industry arguably did not need another reminder of the importance of cyber security for its schemes and stakeholders.

“However, the global IT outage that took place this summer has provided another such reminder – highlighting the heavy reliance of modern society on our digital infrastructure, and equally, the vulnerability of it.

“Pension schemes are not immune to such threats. They hold extensive personal data about scheme members and manage large assets, making them attractive targets for cyber criminals.

“The IT outage underscores the modern world’s reliance on IT infrastructure. It serves as a reminder of the importance of having contingency plans in place for when the arguably inevitable happens.

“Pension schemes, like all organisations, must ensure they are prepared for such incidents, highlighting the critical role of robust cybersecurity measures in safeguarding members’ benefits.”

Not if, but when

Pettit’s comments followed a previous warning by Roseanne Corbett, client director at Muse Advisory, who said: “It’s not ‘if’ a cyber incident will occur but ‘when’.

“The way we need to think about cyber risk, given how challenging it is to prevent it, is to be as prepared and well-equipped as possible to respond to an attack, recover from it and be resilient in its aftermath.”

The Pensions Regulator (TPR) is increasingly concerned about schemes’ resilience against system or data breaches, and has updated its cyber principles in the recently published General Code.

Pettit added: “TPR states that an effective system of governance for pension schemes requires measures to reduce cyber risk.

“Most relevant in this instance is that of having the likes of a business continuity plan and incident response plan in place, so that the scheme is prepared for the incident, e.g. by having back-up systems available to replace the affected systems, and react promptly and effectively to other effects.”

The European Insurance and Occupational Pensions Authority – the regulator for occupational schemes in the European Union – recently updated its risk dashboard to report a predicted increase in digitalisation and cyber risk over the next 12 months.