From hackers stealing information from Talk Talk to Anthem, Michael Klimes looks at how safe schemes are from cyber criminals
- Cyber security is becoming more of a concern for the financial industry including the pensions sector
- Trustees are not driving the process to improve cyber security
- Third party administrators can only do as much as trustees let them
- Members should start treating their personal pension data like bank account details
The pensions industry is not known for being tech-savvy but it will have to become so. During 2015 we saw a number of major brands become victims of sophisticated cyber criminals. The telecommunications company TalkTalk and health insurer Anthem made headlines after they were hacked and lost valuable data of customers.
Pensions schemes are not immune to such attacks, the recent RSM Pension Fraud Risk Report 2015, revealed a number of startling findings.
It was revealed that member transactions in schemes with between 2,000 to 10,000 members were the most targeted by fraudsters. Similarly, one third of pension schemes experienced fraud in 2015 as risks to members were increased by the introduction of the April freedoms.
The research showed a large proportion of schemes – 40% – had not tested their internal controls within the past 12 months, which went against The Pension Regulator's recommendations. Furthermore, almost half of trustee boards (47%) did not receive training on mitigating fraud risk, although this was an improvement on the last survey in 2013 when the figure was 57%.
All of these findings point to a problem that can no longer be ignored by trustees, third party administrators (TPAs) and members according to Veratta chief operating officer Monica Cope.
"Cyber security is an operational risk affecting organisations of all size, including pension schemes, which could be particularly attractive to cyber criminals due to the wealth of personal and financial information that is stored and processed," she says. "Huge volumes of pension scheme information now sit on internal IT networks and in the cloud, and every organisation handling or processing this information is a potential victim of cyber-crime."
As ‘data controllers', trustees have a statutory duty to comply with data protection legislation and have the ultimate responsibility in protecting members' information. They are liable for breaches of the Data Protection Act, including breaches by third parties who are working on their behalf. These could be administrators, actuaries and legal advisers for example so the stakes are therefore higher for trustees than other people. However, there are a number of measures they can take to protect themselves and schemes.
Trustees should establish a policy for information security, setting out roles and responsibilities, objectives and principles for all parties involved. They can also minimise their risks by reviewing the cyber security policy of their suppliers. Furthermore, written agreements should be in place with all suppliers to ensure there is no misunderstanding regarding obligations to fulfil cyber security needs. Finally, trustees should develop a cyber incident response plan (and test it) to guarantee an effective response in the event of an incident.
However, there is no guarantee trustees can have watertight security and that is one of the dilemmas trustees find themselves in. Cope says: "No organisation or scheme is immune from cyber-crime and the more we do and share online, the more vulnerable we become. Cyber-attacks are continuing at an exponential rate, and no scheme can ignore the risk of cyber-attack. Every individual and organisation connected to the internet is a potential vulnerability to an information security management framework."
Contract vs trust
The contention that some organisations are more vulnerable than others is worth exploring. In pensions, are trust-based schemes more vulnerable than contract-based or vice versa? Cartwright business development director Dave Carstairs observes there is no clear cut answer. "Contract-based schemes are typically the domain of the large insurers who within their operational strategy encourage individual members to access their scheme benefits online rather than having any contact with an administrator," he says.
The possibilities and pitfalls of online access cuts across to trust based schemes. "Similarly with trust-based schemes, particularly the larger ones, there is an increasing tendency to have more automation, which again means the member has no interaction with an administrator but merely selects their option and the request is actioned. Given this changing service model it is even more imperative that robust and appropriate levels of security are in place up front so as to protect the member data and minimise the threat of cyber-attack by unscrupulous persons," Carstairs adds.
Although trustees are important players in cyber security, the TPAs who handle the data are critical as well. Trafalgar House Pensions Administration (THPA) chief financial officer Richard Tartaglia says they have gone beyond the industry standard in terms of security. "All our IT used to be on site and we have put it into a managed secure environment. All our servers are independent and we do penetration testing. We felt the investment had to be made. Tier 4 is the highest level of security you can get but if you open it up to members and allow them to access their own records that is where the risk is. So we do everything to mitigate that. But are we a target as a TPA? I don't know, I think there are more high profile targets. It happens in every industry and not just in pensions."
Trafalgar House Pensions Administration managing director Garry Wake says the perspective of an administrator can give them a view of cyber criminals that trustees might not have. "Often you find as a TPA that you have to respond to other people's mishaps," he says.
"You are always learning from other people's mistakes because you can put every protection in place but you cannot be sure nothing will happen. These people [cyber criminals] are clever. This is what they do. I think trustees should be more enquiring of the provider they get."
The way to beef up data protection at schemes is to have rigorous internal standards. Wake continues: "I think the way to tackle it is that an auditor comes in as part of the review of the scheme's accounts. Why couldn't the auditor's review be a little broader than that? There is a requirement for the industry to have a form of reporting or stewardship. There could be a remit for an auditor to come and say your ‘environment is not suitable'."
But on the question of trust-based schemes Tartaglia comes back to the responsibility of trustees and asks: "Who knows what cyber fraud will look like in five years' time? TalkTalk is a wakeup call for the whole industry. They [trustees] are not driving the industry and the industry's response. It is a bit strange because trustees are very data mindful."
Clearly TPAs and trustees have to be more proactive in how they approach cyber security but members need to be aware of their responsibilities as well. Cartwright's Carstairs says people must take their own security seriously.
"Members now obviously have the ability to access their data through online portals," he says. "Consequently that needs to be a secure process to ensure that it has the same level of security as banking. Change online passwords regularly and take the same approach as if you were accessing a bank account. Effectively the members' pension benefit is like a bank account for retirement."
The onus is on everyone to do what they can to fight cyber criminals and ensure data breaches do not become a regular occurrence.
Five steps can trustees take to reduce the risk of fraud
- Include fraud risk and internal controls in your risk register. Make sure you regularly test them. Ensure your Annual Report also considers fraud risk.
- Define your fraud risk policy and assign responsibility to every stakeholder so they know their duties and how to take action
- Look at fraud risk on a regular basis, ideally at least twice a year
- Keep up to date on fraud crimes and understand where you are vulnerable e.g. breakdowns in internal controls and not demarcating duties between departments
- Educate trustees so they know how to recognise fraud, how to report it and why it is unacceptable Source: RSM
Companies could be overstating their pension liabilities by up to £60bn due to their life expectancy assumptions, according to XPS Pensions Group.
Defined benefit (DB) schemes that provide GMPs must revisit and, where necessary, top-up historic cash equivalent transfer values (CETVs) that have been calculated on an unequal basis, a landmark court judgment said last week.
Regulators must act now to impose some "proper regulation" to stop another defined benefit (DB) transfer advice disaster, saysTim Sargisson.
Opportunities for defined benefit (DB) schemes to pursue investment approaches that help repair the UK’s economy cannot stand in the way of improving member outcomes, Aegon says.
More members transferred out of defined benefit (DB) pension schemes in October after September's record lows while values were surprisingly stable, according to XPS Pensions Group's Transfer Watch.