Does lockdown shift leave pensions exposed to cyber crime?

Cyber criminals are now targeting the savings and personal information of thousands of retirees and pension members with unparalleled aggression, experts have warned, as a sector that has historically lagged on digital security is forced to adapt to new technology during lockdown.

Because many services are outsourced, there is not always visibility of the level of protection

Jim Gee, Pensions Administration Standards Association

In an industry that has maintained a fondness for office meetings and hefty paper packs throughout the digital age, the coronavirus pandemic could finally expose a number of shortcomings, as sophisticated cyber criminals set their sights on trustees, administrators and individual pension members alike.

Zoom boom

These alarm bells in the pensions sector come amid concerns throughout the business world about the safety of video conferencing software in particular, with both the government’s National Cyber Security Centre and the Information Commissioner’s Office recently warning organisations about potential security holes in these applications.

The video platform Zoom, which has already been banned by governments in Germany and Taiwan following the exposure of significant privacy flaws, has quickly emerged as one of the most popular applications among pension trustees, at a time when meetings discussing potentially sensitive information on investments and individual members are being called far more often than usual.

“Lots of our trustee board clients have been forced to change the way they are working quite rapidly,” said Oliver Topping, a senior associate at law firm Sackers, whose clients have been using Zoom as well as a number of other applications.

“They would always have held their meetings in person at their offices. There is not a particular awareness of which platforms might be the safest or the most appropriate to use,” he added.

Admin presents target

The sudden introduction of unfamiliar software and working arrangements will only reinforce weaknesses that have long been targeted by cyber criminals.

In the final three months of 2019, the ICO recorded 258 personal data breaches in the finance, insurance and credit industry, equivalent to nearly three every day.

Although it does not break down the figures by sector, among the most vulnerable are pension funds, which generally hold even more money and personal information than bank accounts, while investing far less in cyber security.

Even the Pensions Regulator was the target of more than 343,000 email attacks in 2019, an increase of 148 per cent over the previous year.

The most targeted organisations are often third-party administrators, who are responsible for storing vast amounts of personal data on pension members, and who have been receiving and handling much more information digitally since the world went into lockdown.

It may be difficult for pension boards to ensure this data is being managed properly, however. Experts said that in some cases third parties are based abroad in countries such as India, where lockdown laws have been even more abrupt and draconian.

“Because many services are outsourced there is not always visibility of the level of protection,” said Jim Gee, partner and head of forensic services at Crowe UK, who also chairs the Pensions Administration Standards Association’s cyber crime and fraud working group.

“Pension schemes need to be careful they are asking searching questions about these administrators. I’m not sure these searching questions are always asked.” 

Without such scrutiny, the consequences could be serious for pension fund managers as well as their members. Trustees could be liable for a data breach, according to Mr Topping, and he “would not be surprised” if an administrator is compromised by a cyber attack soon.

Fraud and scams

While their retirement savings and personal information sit more precariously in the hands of pension funds, some of the most malicious attacks are arriving in the inboxes of pension members themselves.

A 400 per cent increase in Covid-19-related fraud has already been reported by the City of London Police within a month, while TPR, the Financial Conduct Authority, and the Money and Pensions Service have issued a joint warning on the rising threat of criminals exploiting fears over the market turmoil to trick victims out of their savings.

“Pensions is an area that is often targeted by cyber criminals, particularly when you are dealing with pensioners who are less savvy than younger users,” said James Walsh, a partner at law firm Fieldfisher.

With vulnerable people being hounded by fraudsters to switch their pensions, trustees could be doing a lot more to educate them, he added. “Every one of these schemes should be thinking about what they can do themselves to protect their members from fraud and scams that are going on during this crisis.”

Silver lining

Ominously, while a number of experts said cyber criminal activity has surged during the pandemic, they cautioned that most evidence of this is yet to emerge, as attacks can often remain hidden for weeks or even months. 

There is also an awareness that, as is the case throughout the economy, the effects of lockdown could endure long after the current crisis.

“We are already seeing some schemes that are considering changes even when things have settled down,” said Claire Barnes, senior pension management consultant at Barnett Waddingham.

Many trustees are now seeing the benefits of regular, brief video meetings over seven-hour conferences in the boardroom, she added.

If the sector is eventually able to adapt without compromising security, Covid-19 could even emerge as the belated inspiration many pension funds needed to overhaul their operations.

“The industry is still using a lot of paper and it has probably been slightly slower than other industries to digitalise,” said Mr Walsh.

“Now everyone is being forced to modernise, and the pensions industry is no exception to that. It is a silver lining.”