Complacency over the risks posed by cyber attacks on pension schemes could lead to serious losses if action isn’t taken to address the issue, Squire Patton Boggs (SPB) has said.

In a report on the risk cybersecurity poses to trustees, sponsors and members, SPB said that, as the risk is “constantly evolving”, safeguards should “remain under review”.

However, according to SPB, trustees may not be aware of the threat that it represents, and they should be more cautious in avoiding cyber-attacks.

Speaking to Pensions Age, SPB head of pensions, Clifford Sims, said: “There’s potentially a problem with complacency at the trustee level.

“The amount of money that’s at stake, it could be significant, it could be systemic, and it could be a really serious loss.

“The vast majority of schemes had clocked the risks, but what were they doing about it?

“In terms of cyber, not many schemes, in our experience, have reviewed their contracts to examine whether the coverage for cyber risk is addressed at all, or if there is adequate coverage.”

To mitigate the risk posed by cyberattacks and General Data Protection Regulation (GDPR) compliance, SPB has recommended testing the scheme’s procedures for dealing with and recovering from data breach incidents.

The Pensions Administration Standards Association considers independent regular and effective penetration testing to be best practice to identify weaknesses.

SPB also stated that trustees should have access to IT expertise, review insurance policies to check they would cover the costs associated with a cyber-attack or data breach, and timetable regular policy and safeguarding reviews.

Sims continued: “When you say ‘cybersecurity’ to people, they say it’s really serious, but it’s ‘just the kind of thing that happens to other people, it doesn’t happen to us’ is the instant reaction.”

He noted, however, that GDPR has been beneficial for the pensions industry and that the new regulations had “galvanised” pension scheme administrators.

Share Story: