Nearly half (47 per cent) of UK pension schemes do not have insurance against cybercrime attacks and 43 per cent have not tested the strength of their IT systems and procedures for cybercrime protection, according to Crowe’s Risk Management Report.

The research also found that 42 per cent all pension schemes do not have access to specialist skills to investigate cybercrime incidents, rising to 50 per cent of small schemes, while 49 per cent of trustees are yet to receive scenario-based training on cybercrime.

In particular, the research raised concerns that member identity theft remains a real risk, noting that nearly a third (29 per cent) of pension schemes do not use electronic ID verification for UK members, increasing to 63 per cent for overseas members.

Third-party suppliers were highlighted as another risk area to focus on, as the research found that 28 per cent of respondents have not assessed the vulnerability of their suppliers to cybercrime, rising to 43 per cent for small schemes and 33 per cent for medium schemes.

The report suggested that the figures were particularly concerning in light of the increasing prevalence of cybercrime in recent years, specifically amid the pandemic, noting that between April 2020 and September 2021 cybercrime incidents rose by 113 per cent.

Action is being taken, however, as the report revealed that only a small percentage of pension schemes (5 per cent) have no response plan in place at all for a cyber incident.

In light of the findings, Crowe partner and head of forensic services, Jim Gee, suggested that trustees would be well advised to look further into testing their scheme’s IT processes and system, emphasising that "they must not neglect supplier risks too".

He continued: “Fraud and cybercrime are the crimes of the 21st century, accounting for over half of all crimes in England and Wales.

"With their high volume of payments to members and the amount of personal data held, pension schemes are seen as attractive targets by fraudsters. Trustees need to not only be aware of that fact, but act on it and implement preventative measures to mitigate the threat and impact of an incident.

“The risk of a cyber-attack is more of a ‘when’ than an ‘if’ today. Pension schemes have made a lot of progress in protecting themselves since we started our Risk Management Report five years ago but much more needs to be done as the likelihood and sophistication of attacks continue to rise."

Share Story: