Trustees firing or criticising administrators for reporting cyber breaches damages trust and transparency, write PASA’s Margaret Snowdon and Kim Gubler, in response to reports of ransomware attacks that could — and do — happen to anyone in the industry.
Administrators are now leveraging web-based technology for member communications and core platforms. But with this advancement comes cyber risk.
Over the summer, we saw stories in the press about security breaches involving pensions data and pensions administrators. It was perhaps the shock the wider industry needed, because there have been few such reports since web technology became a fundamental tool in pensions administration.
If the direct consequence of notifying trustees and authorities of a breach is pariah status, then it is no wonder some may prefer to sweep it under the carpet, or worse still, refuse to look
The fact we have not heard about cyber attacks in pensions administration gives the impression they are relatively rare and the party breached must have been lax in some way. But for every technological advance the pensions industry makes, the criminals are there with us, ready to take advantage of any vulnerability.
The Pensions Administration Standards Association has launched guidance on cyber risk, because it is such a huge risk to the pensions industry and the people who rely on it for their retirement income.
It is no surprise that £2.5bn of members’ money could attract the attention of both amateur and professional hackers and thieves.
Trustee behaviour creates perverse incentive
Our accreditation lays out the minimum standards we expect scheme administrators to adopt to protect as best they can against cyber attacks. But it does alarm us when doing the right thing about phishing and ransomware attacks leads to negative behaviour.
Administrators who spot and deal with a cyber attack must inform affected scheme trustees as soon as practical. But we are troubled to observe that doing so can lead to penalties or even dismissal for the administrator.
Not only that, when some professional trustees were informed of an attack on one scheme, this knowledge was spread to others that were unaffected. This is the wrong behaviour.
What it does is demonise an administrator doing the right thing by coming clean about an attack and somehow singles them out as ‘less safe’ than administrators who appear to suffer no attacks. When in truth, no one knows if this is actually true.
Cyber criminals are increasingly sophisticated and relentlessly target data-rich sources, either for financial gain or even for mischief. Pension schemes are one such rich source, which is why administrators spend significant sums on protecting member data.
Even so, we are surprised at the low number of reported cyber incidents. Could it be either hack attacks are going unnoticed, or worse — being concealed?
Neither is attractive, but if the direct consequence of notifying trustees and authorities of a breach is pariah status, then it is no wonder some may prefer to sweep it under the carpet, or worse still, refuse to look.
Open discourse advances best practice
Protecting against cyber attacks is a serious and expensive business. Doing the right thing is vital, so we all learn from each others’ experiences.
But if we shoot the messenger, we will lose a valuable tool in the fight against cyber crime. We urge all scheme administrators to carry out the necessary vigilance to protect scheme data and ensure breaches have as small an impact as possible.
Our forthcoming guidance and standards will set this out. However, attacks will happen, and are happening, because hackers do not let up and they get better at it all the time.
Even the largest, most sophisticated organisations suffer cyber attacks; we only hear about those making it into the press, or where personal data is compromised and individuals are asked to take protective action themselves. We should not assume the pensions industry is any safer.
Catching attacks as early as possible helps to limit the damage. Sharing the basic facts of an attack alerts others to be on the lookout for a similar attack.
Punitive action against reports is self-defeating and damages trust and transparency in the industry. We need to fight cyber attacks together, not apart, and trustees have a vital and responsible role to play through their actions and reactions.
Margaret Snowdon is president and Kim Gubler is chair of the Pensions Administration Standards Association
