Hackers steal member funds from Australian retirement savings schemes

In light of UK data protection law and the General Code’s focus on cyber risk management and data governance, it’s already clear to UK pension schemes, their service providers and professional advisers that the regulators (The Pensions Regulator (TPR), Financial Conduct Authority (FCA) and the Information Commissioner’s Office (ICO)) understand cyber risk is a major concern. This reflects the fact cyber criminals can and do (increasingly) target pension schemes for two main reasons:

1. to get access to their data so they can be held to ransom and/or to sell that data on the dark web; and
2. to gain access to scheme assets.

If evidence of that were needed, a recent cyber-attack involving retirement saving schemes in Australia offers a sobering reminder. 

What’s happened?

Australia’s $2.63 trillion retirement savings sector has recently been the target of a coordinated set of cyber attacks. Earlier this month, over 20,000 accounts across several of the country’s retirement savings schemes were compromised. The full scale of the incident is still being determined, though a number of funds, including some of the country’s largest superannuation funds have already confirmed they were targeted in these attacks.

While some pension funds merely detected “suspicious” login activity (which in itself may still be a data breach) others suffered more substantial damage. Passwords for around 600 members of one of the super-funds were stolen, presumably with a view to accessing accounts and perpetrating fraud. Four members of a super-fund had a combined A$500,000 drained from their balances and transferred to other accounts that did not belong to them. An industry pension fund for retail workers, with A$93 billion of assets under management, said it suffered an attack that impacted around 20,000 member accounts, which is around 1% of its 2 million members.

The incident has attracted nationwide attention, with Australia’s National Cyber Security Coordinator Michelle McGuinness and Prime Minister Anthony Albanese both issuing statements confirming that the government, regulators and industry will come up with a “considered” response in due time.

Why is cyber risk management so important for pension schemes?

Incidents like this are a stark reminder of the importance of cyber security for pension schemes, which needs to be looked at from both the data protection angle (securing personal data) and the wider scheme governance angle (including safeguarding scheme assets and confidential information). 

Pension schemes invest large sums of money on behalf of their members. They also hold a high volume of personal data for an extended period of time, including sensitive information such as details of members’ health and bank accounts. This makes them an attractive target for cyber criminals. For the entire duration that personal data is held, there are statutory obligations under the UK General Data Protection Regulation (UK GDPR) to have appropriate security measures in place and TPR has issued its General Code which reinforces the duties schemes have to protect scheme assets, members and their data.

Non-compliance with data protection laws can have serious consequences, including fines of up to £17.5 million, uncapped compensation for member claims, as well as sanctions, enforcement notices and reprimands from the ICO, which can cause substantial reputational damage for the scheme or provider and associated employers. Separate sanctioning from TPR is also a risk.

The threat from cyber criminals looms large, and pension schemes must ensure they have systems in place to prevent and respond to such incidents. When it comes to cyber risk, being proactive rather than reactive is essential. 

What should pension schemes do?

Vital steps for effective cyber risk management include:

• conducting due diligence periodically on service providers
• auditing contractual arrangements; and
• having in place security checklists and schedules of minimum cyber security measures

Pension schemes must also have in place robust policies and procedures which comply with the requirements in the UK GDPR and TPR’s General Code. Cyber policies are a key part of any scheme’s governance framework. It is also key to have comprehensive incident response plans, which should outline the steps to be taken in the event of a cyber incident, ensuring a swift and effective response can be taken to mitigate potential damage. Regular training sessions for administration staff, trustees and other key decision-makers are essential to ensure that everyone understands the risks, their roles and responsibilities and the decisions that might need to be taken in the event of a cyber attack.

It is important to regularly rehearse response plans through simulated cyber incident drills, which can identify any weaknesses and ensure that trustees and their advisers, as well as scheme administrators and pensions managers, are prepared to act quickly and efficiently in the face of a real cyber attack.

How can we help?

Eversheds Sutherland has a full service data/cyber offering for pension schemes, including a team of experts who come together to advise our clients on compliance steps and handling risks as and when they materialise. This includes specialists in data protection, litigation, insurance, contracts, and pensions regulatory working together to provide a ‘one team’ approach for our clients.