Nearly a quarter (23 per cent) of UK pension schemes are unprepared for the risks posed by cyber crime, Aon has found.

In its Global Pension Risk Survey 2019, Aon revealed that 77 per cent of schemes have undertaken some form of cyber training, or plan to do so over the next year.

This leaves 23 per cent of scheme leaving themselves vulnerable to cyber crime.

Although Aon found that 95 per cent of respondents said that their scheme had not been affected by cyber crime, it warned that the threat was increasing.

Commenting on the findings, Aon principal consultant, Vanessa Jaeger, said: “Getting some training is the first and simplest thing that trustees can do in considering the risk - just so they can fully understand some of the issues and know how to take informed actions.

“We believe that in some cases this lack of action is where people may have outsourced services to third parties and assume the issue lies with them.

“But if those suppliers – and the schemes – are impacted by a cyber-attack, trustees will have no plan in place to manage the situation and may find that they are struggling to support their scheme members and to know what the appropriate action should be – let alone how to take it.”

Aon’s survey also discovered that two thirds of scheme did not have any documentation of cyber risks, mitigations, and security policies and procedure.

Furthermore, around half of respondents has not carried out and did not plan to carry out a review of data transfer agreements.

Jaeger continued: “We have worked with many schemes on cyber simulation exercises – essentially a ‘war game’ of how a cyber-attack might unfold. These involve running a trustee board through what can occur and is designed to get participants to consider the actions they to need to take to deal with the situation.

“The natural follow on from any training is to have an incident response plan. That can vary from a list of contact details and a checklist to a robust plan of action.

“Sixty per cent of respondents said that they do have one of these or plan to do so within the next year.

“But bear in mind that The Pensions Regulator has stated that good governance includes establishing and testing your incident response plan – so the other 40 per cent of schemes needs to act swiftly.”

“But the planning shouldn’t stop there. This is a real and ever-growing threat, so trustees and pension scheme sponsors need to be alive to the issue and to have had some training around it.

“They should also repeat the training at least every two years; cyber criminals’ tactics and techniques continue to evolve so it’s vital to stay as up to date as possible on what is – sadly – a growing and changing risk.”

Share Story: