The increasing frequency and magnitude of cyber-attacks on British businesses have prompted the UK’s pensions industry to consider its own resilience, especially during de-risking processes when scheme members’ data is at a heightened state of vulnerability.
Awareness of the potential hazards posed by hackers has been raised amid high-profile data breaches at major employers including retailers Marks & Spencer and Harrods, as well as automaker Jaguar Land Rover, which halted production following an attack.
While the UK’s pension and insurance industries have not publicly reported such large-scale direct attacks, experts have warned that they will undoubtedly be targets and that they should bolster their defences.
“Most occupational pension schemes have been preoccupied with achieving the goal of buy-out and ensuring that they can achieve pricing to secure their liabilities, and that has been the primary, sole driver, up until relatively recently,” said Daniel Taylor, a Director at pensions administrator Trafalgar House.
“But I also think thrown into that should be cybersecurity resilience, because that affects the interests of all the members.”
Trustees have been warned to be especially careful during de-risking journeys. Pension schemes hold large volumes of personal identifiable information (PII) on members, information that is attractive to fraudsters. During pension risk transfer (PRT) transaction negotiations, that data is transferred to the various parties involved in the process, including the insurer and other third-party agents.
This poses a number of dangers. When datasets are ingested by external systems, individual data points can become corrupted, mismatched, incorrectly converted or simply lost. The risks are greater if each party operates a different data management platform that requires other technology to make them compatible. Members’ identities have to be validated, too, and that involves further sharing of their data.
“The founding principle of anything around data security and cybersecurity is that where large data sets move, the risk increases exponentially – and these are very large data sets in frequent movement over a relatively short period of time,” said Taylor.
“There are data flows that are going to other parties and agents before that transaction happens, or during that transaction. I don’t think that full picture of a data flow is fully understood and analysed and accepted until far later in the transaction, when it’s actually happening.”
The UK’s National Cybersecurity Centre issues regular warnings of attacks on British businesses. Highlighting the increased risks firms’ face, the UK government revealed that half of all businesses and a third of charities had reported experiencing a cybersecurity breach last year.
Not all attacks are made public, and experts say it is likely that “sleeper events” – in which hackers amass, intercept and manipulate data over long periods of time – could be happening to companies without them knowing.
The biggest known breach with ties to the UK’s pension industry came in 2023 when hackers broke into the systems of Capita. Administrators were advised by the Pensions Regulator that “If you use Capita’s services, you should check whether your pension scheme’s data could be affected.”
The incident highlighted the potential allure of the pensions industry to hackers. Schemes hold data on millions of people, including sensitive information such as dates of birth, earnings and employment status. Armed with this information, fraudsters can defraud the individual they have hacked or assume their identity to defraud others.
Although it’s not known if data on any of the exposed individuals was taken and used in the Capita breach, the incident chilled the industry, said Alan Greenlees, Professional Trustee at financial services company ZEDRA.
“It caused an awful lot of concern for members, and rightly so,” he said.
Since then, cyber resilience has risen up the agenda of discussion topics when trustees consult on PRT deals. While it’s generally assumed that insurers and their agents have the necessary guardrails in place to protect members’ data, they are still advised to probe their counterparties on what assurances they can offer.
“The Capita incident affected a large firm that you’d have thought had the various safeguards in place,” said Greenlees.
“There is a sense that with so many companies and schemes in the market, there is safety in numbers – that yours won’t be picked out from the hundreds and thousands of others. As trustees we can always do more to protect our members’ data and cybersecurity remains a key risk for schemes to manage.”
A data breach could be calamitous to individuals but is unlikely to wreck a PRT transaction, even if the deal is in motion at the time.
Insurers and trustees are confident that with the help of the regulator and the Information Commissioner’s Office (ICO), the UK’s data protection overseer, most attacks can be contained. Further, pension administrators ensure there are sufficient data firewalls around schemes’ financial information to prevent money being lost in an attack.
The most likely impact on the PRT process is that contract negotiations will be halted, delaying a final settlement. Nevertheless, breaches risk damaging the reputation of sponsors.
“If a sponsor sees in the press its name associated with former employees and members data being taken, that negativity is going to lead to some sort of commercial hit later on, as well as potential financial fines from the ICO,” said Greenlees.
To guard against attacks, Trafalgar House urges that trustees remain vigilant and require accurate and comprehensive reporting from their administrator. In the case of PRT negotiations, trustees should spend more time in their due diligence questioning insurers’ cyber resiliencies.
“When we’re appointed by trustees, cybersecurity and data risk and data risk management is a huge consideration now, and we spend an awful lot of time through our appointment process proving credibility in the space,” said Taylor.
“But I’m not sure that full analysis and deep dive consideration is being done in terms of selection of risk transfer partners.”