The pensions industry is a prolific generator of data and much of it is sensitive. As this data moves online, it becomes more vulnerable. Like many organisations, pension schemes face a wide range of threats, ranging from fraudsters and criminals to disgruntled employees and nation states. Cyber incidents can occur in a number of ways; factors that contribute to the likelihood of them occurring include lack of preparedness, circumvention of controls and lack of clarity regarding roles and responsibilities.
“Regulators are focusing on pension funds’ cybersecurity arrangements more closely than in the past.”
Given the potential impact of data breaches, scheme managers and trustees need to have a clear understanding of cyber risk and take robust measures to build their cyber resilience. Regulators are also focusing on pension funds’ cybersecurity arrangements more closely than in the past.
Some of the major challenges pension funds may face include:
66% of all intrusions start with social engineering. The most common type of social engineering is phishing, which uses emails purporting to be from reputable companies or contacts. In the past year, there has been a resurgence in so-called spear phishing or whaling where high level executives are targeted. Email compromises are also increasing: a common technique is an email from a CFO to a recently hired junior requesting funds transfer for a time-sensitive M&A, for example. A common sense response is best. Unsolicited emails should not be opened and suspicious emails should be forwarded to security teams to help them build better defences.
Malicious software (malware) such as ransomware can be installed via a link, attachment or memory stick. Managers and trustees should not open unsolicited email. Ideally, memory sticks should be prohibited. Users should tell security about strange PC activity, such as new icons on their input tray, pop-ups or an unusually slow PC.
Mobile and bring-your-own-device policies create additional risks that must be managed. Container solutions can be used to facilitate optimal information management, including remote phone wiping. Managers and trustees need to be aware of SMS phishing or smishing. They should also change the default codes for voicemail access. Common sense should be applied: managers and trustees should keep their devices with them at all times or lock them away. They must also always use passwords and lock screens and avoid using unsecure Wi-Fi networks.
Attackers are primarily interested in gaining access to credentials. A number of simple steps such as always using two-factor authentication and avoiding using the same passwords across platforms or devices can prevent this. Pension schemes should limit Admin access to reduce the likelihood of viruses or other attacks gaining access to the network.
“The key to cybersecurity is to understand the scale, nature and location of data and have clear and robust controls in place to prevent unauthorised access.”
It is critical to set out who can access data (such as managers, trustees and third parties such as actuaries or lawyers). This information should be regularly reviewed and updated when people change roles or leave: a named individual should be responsible for enforcing this policy. Cybersecurity encompasses the information lifecycle and is not just about access. Defences should be layered: the focus must be on not just preventing access by fraudsters but ensuring that monitoring and alerts are in place to detect adversaries and eliminate them from the network.
BNY Mellon assumes no liability for the content, including statistics, herein. All content, including statistics, was derived from discussions and presentations that took place at the BNY Mellon Pension Summit in London on 14 November 2018.
BNY Mellon is the corporate brand of The Bank of New York Mellon Corporation and may be used as a generic term to reference the corporation as a whole and/or its various subsidiaries generally. This material and any products and services may be issued or provided under various brand names in various countries by duly authorised and regulated subsidiaries, affiliates, and joint ventures of BNY Mellon, which may include any of the following. The Bank of New York Mellon, at 240 Greenwich Street, NY, NY 10286 USA, a banking corporation organised pursuant to the laws of the State of New York, and operating in England through its branch at One Canada Square, London E14 5AL, registered in England and Wales with numbers FC005522 and BR000818. The Bank of New York Mellon is supervised and regulated by the New York State Department of Financial Services and the US Federal Reserve and authorised by the Prudential Regulation Authority. The Bank of New York Mellon, London Branch is subject to regulation by the Financial Conduct Authority and limited regulation by the Prudential Regulation Authority. Details about the extent of our regulation by the Prudential Regulation Authority are available from us on request. The Bank of New York Mellon SA/NV, a Belgian public limited liability company, with company number 0806.743.159, whose registered office is at 46 Rue Montoyerstraat, B-1000 Brussels, authorised and regulated as a significant credit institution by the European Central Bank (ECB), under the prudential supervision of the National Bank of Belgium (NBB) and under the supervision of the Belgian Financial Services and Markets Authority (FSMA) for conduct of business rules, a subsidiary of The Bank of New York Mellon, and operating in England through its branch at 160 Queen Victoria Street, London EC4V 4LA, registered in England and Wales with numbers FC029379 and BR014361. The Bank of New York Mellon SA/NV (London Branch) is authorised by the ECB and subject to limited regulation by the Financial Conduct Authority and the Prudential Regulation Authority. Details about the extent of our regulation by the Financial Conduct Authority and Prudential Regulation Authority are available from us on request. The Bank of New York Mellon SA/NV, operating in Ireland through its branch at Riverside 2, Sir John Rogerson’s Quay, Grand Canal Dock, Dublin 2, D02 KV60, Ireland, trading as The Bank of New York Mellon SA/NV, Dublin Branch, which is authorized by the ECB, regulated by the Central Bank of Ireland for conduct of business rules and registered with the Companies Registration Office in Ireland No. 907126 & with VAT No. IE 9578054E. If this material is distributed in or from, the Dubai International Financial Centre (DIFC), it is communicated by The Bank of New York Mellon, DIFC Branch, (the “DIFC Branch”) on behalf of BNY Mellon (as defined above). This material is intended for Professional Clients and Market Counterparties only and no other person should act upon it. The DIFC Branch is regulated by the DFSA and is located at DIFC, The Exchange Building 5 North, Level 6, Room 601, P.O. Box 506723, Dubai, UAE. BNY Mellon also includes The Bank of New York Mellon which has various subsidiaries, affiliates, branches and representative offices in the Asia-Pacific Region which are subject to regulation by the relevant local regulator in that jurisdiction. Details about the extent of our regulation and applicable regulators in the Asia-Pacific Region are available from us on request. Not all products and services are offered in all countries.
The material contained in this document, which may be considered advertising, is for general information and reference purposes only and is not intended to provide legal, tax, accounting, investment, financial or other professional advice on any matter, and is not to be used as such. The contents may not be comprehensive or up-to-date, and BNY Mellon will not be responsible for updating any information contained within this document. If distributed in the UK or EMEA, this document is a financial promotion. This document and the statements contained herein, are not an offer or solicitation to buy or sell any products (including financial products) or services or to participate in any particular strategy mentioned and should not be construed as such. This document is not intended for distribution to, or use by, any person or entity in any jurisdiction or country in which such distribution or use would be contrary to local law or regulation. Similarly, this document may not be distributed or used for the purpose of offers or solicitations in any jurisdiction or in any circumstances in which such offers or solicitations are unlawful or not authorised, or where there would be, by virtue of such distribution, new or additional registration requirements. Persons into whose possession this document comes are required to inform themselves about and to observe any restrictions that apply to the distribution of this document in their jurisdiction. The information contained in this document is for use by wholesale clients only and is not to be relied upon by retail clients. Trademarks, service marks and logos belong to their respective owners.
BNY Mellon assumes no liability whatsoever for any action taken in reliance on the information contained in this material, or for direct or indirect damages or losses resulting from use of this material, its content, or services. Any unauthorised use of material contained herein is at the user’s own risk. Reproduction, distribution, republication and retransmission of material contained herein is prohibited without the prior consent of BNY Mellon.
© 2019 The Bank of New York Mellon Corporation. All rights reserved.