A quarter (25 per cent) of pension schemes admit to not having an adequate cybercrime breach plan, despite trustees acknowledging it as a top threat, according to Crowe.
The national audit, tax, advisory and risk firm’s annual Governance and Risk Management report said that this had left schemes “ill-prepared” to combat the threat of cybercrime and fraud, noting that more than a fifth (22 per cent) of schemes were unaware of the key operations and IT systems most vulnerable to fraud.
Additionally, almost a third (29 per cent) of all schemes had not assessed the cyber vulnerability of their third-party suppliers and therefore could not attain assurance that risks were being managed appropriately.
It appeared that part of the problem was a lack of understanding, as more than two-fifths (42 per cent) of schemes still did not have access to specialist skills required to investigate and combat cybercrime and 59 per cent had not provided cybercrime scenario-based training to trustees.
Nearly half (46 per cent) of schemes said they had not undertaken an independent review of the process for putting member benefits into payments, with Crowe stating that its researchers found a “worrying number of administrators still relying on old-fashioned identity verification methods that are highly susceptible to fraud”.
Finally, Crowe added that even schemes that had assessed the risks of external threats could be vulnerable to actions of dishonest employees, noting that 50 per cent of respondents said that they had not undertaken an independent review of the process of vetting staff with access to personal member data prior to their appointment.
Crowe national head of pension funds, Andrew Penketh, said: “Too few pension funds are properly assessing the risks, too many are lacking the expertise to combat cyber-attacks and there is a clear deficit of efficacious fraud prevention procedures put in place across the board.
“A pension, in many ways, represents a life’s work. The industry must better protect the fruits of peoples’ labour, rather than funding early retirement for undeserving fraudsters. We urge the industry to appreciate the seriousness of the risk posed by cybercrime and take appropriate measures in response.”
Crowe partner and head of forensic services, Jim Gee, commented: “Pension schemes are particularly vulnerable to cybercrime, for two reasons. They are responsible for rich seams of personal data often collected over many years which is attractive for cyber criminals to steal and attack others.
“They are also vulnerable to ransomware attacks because cybercriminals believe that the pressure to continue to make pension payments might induce pension schemes to pay the ransom which has been demanded.
Crowe pension funds partner, Judith Hetherington, concluded: “The single most important thing to do is to recognise the risks, seek expert advice when required and take action. There is always scope for improvement and the findings in our survey clearly map out the key areas that trustees should be prioritising in the coming months.”
Recent Stories