Now in its fifth year, the Risk Management Report surveys pension scheme Trustees on the challenges facing them as fraud and cybercrime levels increase overall in tough economic times.
The latest findings show that information security remains a key vulnerability. 43% of respondents admit they have not tested the strength of their scheme's IT systems, processes and procedures for cybercrime protection. Member identity theft remains a real risk as nearly a third of pension schemes (29%) do not use electronic ID verification for UK members. The danger is even greater with overseas members as 63% of schemes do not have electronic ID verification set up for them.
Third-party suppliers are another risk area to focus on, given so many activities are outsourced by pension schemes. 28% of respondents surveyed by Crowe have not assessed the vulnerability of their suppliers to cybercrime. That figure rises to 43% for small schemes and 33% for medium schemes.
The report also reveals a need for further investment in getting the response to a cyber incident right and minimising potential damage. At present, 47% do not have insurance to cover a cyber attack. Moreover, 42% of all pension schemes do not have access to specialist skills to investigate cybercrime incidents, rising to 50% of small schemes. Trustees could also benefit from further training – 49% have yet to receive scenario-based training on dealing with cybercrime, according to the latest figures.
These figures are particularly concerning given the increasing prevalence of cybercrime in recent years – and, in particular, its sharp rise during the pandemic. Between April 2020 and September 2021 cybercrime incidents shot up by 113%, yet a small percentage of pension schemes (5%) have no response plan in place at all for a cyber incident.
Jim Gee, Partner and National Head of Forensic Services at Crowe, said: “Fraud and cybercrime are the crimes of the 21st century, accounting for over half of all crimes in England and Wales. With their high volume of payments to members and the amount of personal data held, pension schemes are seen as attractive targets by fraudsters. Trustees need to not only be aware of that fact, but act on it and implement preventative measures to mitigate the threat and impact of an incident.
“The risk of a cyber attack is more of a ‘when’ than an ‘if’ today. Pension schemes have made a lot of progress in protecting themselves since we started our Risk Management Report five years ago but much more needs to be done as the likelihood and sophistication of attacks continue to rise.
“Trustees would be well advised to look further into testing their scheme’s IT processes and systems and they must not neglect supplier risks too. Suitable insurance to cover cybercrime incidents should also be a consideration.”
|
