Now in its fourth year, the Governance and Risk Management report considers the changes to governance and operations of UK pension schemes in light of the impact of COVID-19 on working practices of pension schemes, both in the short and medium term.
This year’s results show that many schemes are ill-prepared to combat the increasing threat of cyber risks and fraud with 22% of all schemes surveyed failing to properly identify the key operations, IT systems and information flows vulnerable to cybercrime.
Despite the reliance of pension schemes on outsourcing to third-party providers, almost a third (29%) of all schemes also said they have not assessed the cyber vulnerability of their third-party suppliers and therefore cannot attain assurance that risks are being managed appropriately.
Furthermore, almost half (46%) of schemes have not undertaken an independent review of the process for putting member benefits into payments. Crowe’s researchers also found a worrying number of administrators still relying on old-fashioned identity verification methods that are highly susceptible to fraud.
Even for those pensions schemes that may have adequately assessed the risk of external threats, dishonest employees can still identify and exploit vulnerabilities. However, 50% of respondents said that they had not undertaken an independent review of the process of vetting staff with access to personal member data prior to their appointment.
Identification of threats and vulnerabilities is only one piece of the puzzle, with subsequent action required to shore up defences as a means of fraud protection and prevention. While awareness of the threat is at all time high amongst respondents, 42% of all schemes still do not have access to specialist skills required to investigate and combat cybercrime and 59% have not provided cybercrime scenario-based training to Trustees.
Taken together, this leaves pension schemes in a perilous position and vulnerable to immediate attack.
Andrew Penketh, National Head of Pension Funds at Crowe, comments: “It’s no secret that 2020 will be remembered as a year of significant disruption and hardship for many businesses. Yet for all the good work done, these latest results provide a clear takeaway for the industry: the risk of cybercrime and fraud cannot be ignored and is something that needs urgent remedying.
“Too few pension funds are properly assessing the risks, too many are lacking the expertise to combat cyber-attacks and there is a clear deficit of efficacious fraud prevention procedures put in place across the board.
“A pension, in many ways, represents a life’s work. The industry must better protect the fruits of peoples’ labour, rather than funding early retirement for undeserving fraudsters. We urge the industry to appreciate the seriousness of the risk posed by cybercrime and take appropriate measures in response.”
Jim Gee, Partner and Head of Forensic Services, comments: “The latest Government statistics show that, since the advent of COVID, there has been a 92% increase in incidents of cybercrime and that cybercrime and fraud now represent over 50% of all crime.
“Pension schemes are particularly vulnerable to cybercrime, for two reasons. They are responsible for rich seams of personal data often collected over many years which is attractive for cyber criminals to steal and attack others. They are also vulnerable to ransomware attacks because cybercriminals believe that the pressure to continue to make pension payments might induce pension schemes to pay the ransom which has been demanded.
“More pensions schemes are now taking action get properly protected - ensuring that the technological protection is in place but also that they are ready to manage an attack when it happens and to respond and mitigate damage. Trustees need to make sure that their schemes and third party suppliers have the right policies in place, the right training, and access to the right specialist skills. There is no time to waste because when it comes to cyber-attacks, it is not a case of if but when.”
Judith Hetherington, Pension Funds Partner at Crowe, comments:
“This is the now the fourth edition of our Governance and Risk Management report, which has shone a light on the risks and threats faced by Trustees, as well as the actions that can be taken to mitigate those threats. While it is clear that a significant amount of work has already been undertaken, the risks to the industry are greater than ever. Pension scheme governance has never been straightforward, and the COVID-19 pandemic has prompted a sudden need to reassess the strength of covenants and scheme funding levels, as well as shore up cyber defences.
“The insight gathered in our research examines the best ways to successfully execute such governance activity. The single most important thing to do is to recognise the risks, seek expert advice when required and take action. There is always scope for improvement and the findings in our survey clearly map out the key areas that Trustees should be prioritising in the coming months. Indeed, over the years Crowe has helped Trustees to proactively identify new and emerging risks, developing best practice guidance around governance and arming Trustees with the tools to make smart decisions for their schemes.”
|