As the year draws to a close and we anticipate the joy that the festive period can bring to many, those working in financial services know all too well the risk that this time of year brings as the economy booms due to extra spending on food, gifts etc, more often than not, all done online.

A specific risk firms face as a result of this increased online activity relates to cyber security, cybercrime and cyber-enabled fraud, all of which have been very topical this year in the news, including specific examples within the pensions industry.

What exactly is cyber crime?

Cyber risk is the risk of loss, disruption or damage to a scheme or its members as a result of the failure of IT systems and processes. This includes risks to information, such as member data, as well as assets.

It is important to note though that cyber crime is not fraud. Fraud is a different issue, with different solutions. For example, when a computer is used to undertake fraud, this is cyber-enabled fraud, not cyber crime. Cyber crime involves illicit intrusions into computers and networks (otherwise known as hacking) and/or the disruption of computer functionality, such as malware or ransomware. Data stolen by means of cyber crime can then be used for fraudulent purposes.

But it won't happen to my scheme….

It’s becoming clear that it's not if, but when your scheme could be at risk to cyber crime.

• 25% of schemes don’t have an adequate cybercrime breach plan
• 27% of schemes have not identified the key operations, IT systems and information flows vulnerable to cyber crime
• 29% of schemes have not assessed the vulnerability of their third-party suppliers to cybercrime
• 42% of schemes do not have access to specialist skills needed to investigate the nature of a cyber breach

(Source: Crowe’s Risk Management Survey, February 2021)

So how can Trustees start the new year better prepared for the risk that cyber crime brings?

There’s often an assumption by members that ‘everything will turn out alright’ when they retire and their pensions are therefore often pushed to the back of minds with a view of ‘I’ll look at that later’.

This lack of direct involvement by members can make it easier for fraud to occur, for example, through impersonation fraud or opportunistic pension fraud (e.g. by close friends or relatives).

To safeguard member’s benefits, Trustees should adopt the following practices:

• Prioritise cyber security, creating a cyber risk mitigation plan.​
• Undertake periodic training to stay ahead of fraudsters and cyber criminals
• Continually monitor and update your policies, procedures regularly and ensure the risk register captures data protection and cyber security risks.​
• Ensure cyber security policies are aligned between the employer and the Scheme.
• Engage with all advisors in relation to their cyber security controls and continually request evidence that controls are being adhered to.​
• Engage with your legal advisor about your legal obligations.​
• Consider financial protections available and even consider cyber insurance.​

There is a lot of information here. Could you summarise in 3 words?

Yes - understand, prevent, and respond.

We need to stop fraudsters and criminals and putting in place some of the controls suggested above will go a long way in stopping fraud and cyber crime. Prioritise such plans now.

If you have any questions or want to discuss further, please get in touch.

This blog is based upon our understanding of events as of 5 December 2023. It is a general summary of topical matters and should not be regarded as financial advice. It should not be considered a substitute for professional advice on specific circumstances and objectives. Where this blog refers to legal matters please note that Hymans Robertson LLP is not qualified to provide legal opinion and therefore you may wish to obtain independent legal advice to consider any relevant law and/or regulation.