Pension providers reported a staggering quadruple-digit percentage increase in data breaches to the UK regulator last year, according to new data compiled by professional services firm RPC.
The London-based practice analyzed reports to the Information Commissioner’s Office (ICO) in the year to June 30 2023.
It found that the pension sector suffered just six cyber-attacks leading to a data breach in 2021/22, rising to 246 the following year – a 4000% increase.
That made the sector the worst hit in the financial services vertical. Overall, financial services firms recorded a 242% increase in cyber-attacks leading to breaches – from 187 incidents to 640 over the same period.
RPC claimed that pension funds are an obvious target for ransomware actors in particular, due to the large volumes of sensitive and highly monetizable financial and personal information they hold, and the need to keep systems up-and-running to pay pensioners without disruption.
RPC partner and head of cyber and tech insurance, Richard Breavington, argued that pension fund trustees could be liable if they fail to manage cyber-risk appropriately.
“Cybersecurity is fundamental to pension scheme trustees’ legal duties. It’s a cause for concern that so many financial services firms, especially pension schemes, have suffered some form of cyber-attack, resulting in a data breach,” he added.
“The assumption might sometimes be that major financial services businesses have robust cyber defenses so that they are impervious – that certainly hasn’t stopped hackers continuing to try.”
However, Caleb Mills, professional services director at Doherty Associates, suggested the spike in reports to the ICO could be interpreted positively – as a sign more financial services firms are finding and notifying the regulator of incidents.
“A holistic approach to cybersecurity is imperative, demanding constant monitoring and timely updates across every link in the supply chain,” he added.
“The consequences of failing to maintain a robust security posture are profound; they extend beyond financial implications to lasting reputational damage should a financial services business fall victim to a data breach. The stakes are high, and the need for vigilance has never been more evident.”