Mitigating supply chain risks

Pension schemes are inherently reliant on their third-party suppliers to fulfil their legal obligations to the Pensions Regulator; they must ensure that the correct amount of pension is paid to the correct person, at the correct time. To fulfil these obligations, pension schemes rely on their administrator to oversee a large proportion of their financial operations, meaning it is an essential cog within the pension scheme eco-system.

Scheme administrators are entrusted with the financial security of countless pensioners; any disruption at the administrator would have a detrimental impact on the scheme’s ability to uphold these obligations. As such, pension scheme administrators are an increasingly attractive target for a variety of cyber-attacks, but most notably ransomware. Not only is the immediate disruption caused by a ransomware attack particularly devastating, but also exfiltrated data as part of the attack can be sold on for further criminal purposes, such as identity theft.

The impact of a cyber incident

• Financial: The impact of cybercrime can result in substantial monetary losses, ranging from direct theft of funds to the costs associated with investigation and rectifying the breach, compensating affected parties, and investing in enhanced cybersecurity measures to prevent future attacks.
• Reputational: Cyber breaches can compromise personal information, including sensitive data such as national insurance numbers, addresses, and financial records of scheme members. Trust is a cornerstone of the pensions sector, and a breach of this information not only leads to potential identity theft but also undermines the confidence of beneficiaries in the security measures of the pension scheme.
• Legal: Regulatory and legal repercussions of a cyber incident are particularly profound in the pensions sector. Administrators are subject to stringent regulatory compliance measures, and a breach can lead to severe penalties for failing to protect sensitive data adequately. Legal battles, investigations and fines incurred due to non-compliance further strain resources and can tarnish the reputation of the administrator.

Actions for administrators

1. Ensure your organisation has stringent incident response processes in place, which are documented and contain your key contacts; it is always best to assume the inevitability that your organisation will be attacked at some point.
2. Regular infrastructure assessment and penetration testing should take place to identify any out-of-date software, open ports, or expired certificates. These vulnerabilities should then be promptly remediated to ensure any potential avenues for hackers are closed.
3. To further mitigate the impact of cybercrime, pension scheme administrators must invest in robust cybersecurity measures: implementing encryption, regular security updates, multifactor authentication, employee training and strict access controls are fundamental. Investing in cyber insurance to cover potential financial losses from cyber incidents should also be considered and is becoming increasingly crucial in safeguarding against unforeseen breaches.

How can we help?

The impact of cybercrime on pension scheme administrators is beyond financial losses, it includes erosion of beneficiary trust and regulatory and legal ramifications. As protectors of vast amounts of sensitive personal and financial data, pension scheme administrators are grappling with the unprecedented challenges posed by cyber threats, but you do not have to suffer alone.

Our Forensic Services team are here to assist with any governance or technical projects that your organisation may require. The Forensic Services team are well-established in the pensions sector, having worked with schemes of all sizes to help improve their response to cyber threats, and have a successful record of enhancing cyber resilience sector-wide. Please contact Tim Robinson or your usual Crowe contact for more information.