Cyber crime, risk control and data loss have become a grim reality for too many pension funds. One of the latest victims is the UK’s Universities Superannuation Scheme (USS), which said information on 470,000 members could have been taken in a recent attack, including names, dates of birth and national insurance numbers.
Unfortunately, USS was not the only pension fund affected, because the attack – which occurred last March – was actually on Capita, the outsourcing company that manages USS’s pension system, along with those of over 400 other pension funds.
Other clients potentially at risk include the pension schemes of Marks & Spencer, Unilever and Diageo.
But pension funds throughout Europe, including PME and PFZW in the Netherlands, have also recently suffered data breaches, while in February, Norway’s Haugesund Pension Fund successfully resisted an attempt by hackers to transfer large sums of money out of the fund.
Capita said that because it had interrupted the intrusion, the impact of the attack was severely restricted, with some data exfiltrated from less than 0.1% of its server estate.
It is working with specialists and forensic experts to recover and secure the customer data contained within the affected server estate, and rectify any issues arising from the incident, which it said has cost it between £15m and £20m.
Meanwhile, the pension funds affected have swung into action, e-mailing or otherwise contacting members and providing guidance and Q&As on their websites.
USS is also giving members free access to an identity protection service.
Earlier this month, The Pensions Regulator (TPR) published a statement for trustees, reminding them that they are responsible for the security of their members’ data.
The statement said those schemes using Capita’s services should check whether their pension scheme’s data could be affected, and continue to communicate with Capita.
“This situation is likely to cause concern to members and you should be prepared to answer their queries,” it went on. “You should contact your members proactively to warn them about pension scams and keep them updated while you confirm whether a data breach has taken place. You should also monitor increased or unusual transfer requests.”
It added that in the case of a data breach within their scheme, trustees might need to notify affected individuals, and should direct them to data breach guidance for individuals from the National Cyber Security Centre. They might also need to notify TPR and the Information Commissioner’s Office (ICO).
“This incident shows the importance of having a robust cyber security and business continuity plan in place,” TPR concluded. TPR has published its own cyber security principles for pension schemes.
However, administrative time and costs are not the only dangers for pension schemes should a breach happen.
“Pension trustees must rely on third parties to process their data, and no-one is safe from cyber risk,” said Anna Rogers, senior partner at Arc Pensions Law. “If there is a data breach, affected members may well make claims.”
She said scheme members can claim for non-material losses, such as distress, often pursued by specialist claims management firms.
According to Alex Dittel, partner and head of data protection at Wedlake Bell, a typical claim would be £3,000 per person, and even if it fails, defending those claims costs money.
Furthermore, Rogers said trustees could fail to recover their losses from the third party because of:
- inadequate contractual terms;
- inadequate due diligence by the trustee; or
- actions taken (or inaction) by the trustee following the breach.
Rogers observed: “Regulators – TPR and ICO – will be understanding of trustees who have done as much as they could, but their requirements to some extent push in different directions. And notifying members when not required by law may increase risk.”
She concluded: “Now is a good time to refresh training, supplier reviews and readiness to respond.”