Written by Melanie Hart, a partner specialising in cyber-response and data breach disputes at law firm Kingsley Napley LLP
The pensions industry is built on a foundation of trust and security. It has to be. Every stakeholder in the pensions arena deals with highly sensitive data – be that personally sensitive or commercially sensitive, or both.
Millions of individuals entrust not only their pension capital but also their personal data to the managers, trustees, IFAs, administrators and other stakeholders who operate the industry. The recent Capita cyber-attack and corresponding data leak has brought that fragile relationship of trust into sharp focus.
Whilst there have been cyber-attacks and other data hacks in the wider pensions industry before, the Capita breach has sent a new wave of concern across the industry given its sheer scale. The nature of Capita’s role as a pensions administrator means that, on behalf of its clients which include several large public and private sector pension funds, it was processing the personal data of many millions of individuals (Capita’s own data indicates it had more than 450 clients processing the data of 4million+ individuals). That data is likely to include individuals’ names, dates of birth, National Insurance numbers, pension fund numbers, contact details, salary details and more.
The initial unauthorised access began, we now know, around 22 March 2023 but was only discovered and stopped by Capita more than a week later on 31 March. It was subsequently established that the cyber-attack had been perpetrated by the Russian ransomware group ‘Black Basta’ which is known for carrying out highly targeted attacks and ‘double extortion’ tactics. They encrypt critical data and servers, and threaten to publish sensitive data unless a ransom is paid. They also sell data on the dark web for profit to those who seek to use that data, often together with additional data from other public or illicit sources, to engage in identity theft, fraud and blackmail.
It is now believed that Capita may have suffered an additional data breach after leaving benefits data files in publicly accessible storage. Together the incidents have led some 90 organisations to report concerns about breaches of personal data held by Capita, the Information Commissioners Office (ICO) has disclosed.
It is often the case when these cyber-attacks occur that it is not possible to know with certainty for a considerable period of time exactly what data has been impacted and how. There is a common misconception amongst the organisations who are victim to these attacks that within hours ‘the techies’ will have established the cause and extent of damage. More often than not it can take many weeks, sometimes longer, to establish the exact cause and the real extent of the damage, due to the many different forms these attacks can take. It is almost always the case that the victim organisation will not have the full details before it has to inform its regulators and often will still be operating somewhat in the dark even at the point it needs to inform its customers/others.
Why Are Attacks in the Wealth Arena on the Rise?
Cyber-attacks are on the increase globally due to the convergence of economic, geopolitical and technical factors. Economic downturn has seen a scaling back/lack of investment in some quarters in threat detection and protection; the war in Ukraine has seen an exponential increase in cyber-attacks emanating from Russian-backed hackers seeking to fight the war on an alternative front; and the number of devices – and therefore routes for attack – that
people use to access and share their data is rapidly expanding without commensurate cyber security systems or training necessarily being in place. The ever continuing rise in AI and other machine learning technologies is also making it increasingly easier, and quicker, for threat actors to deploy new attack methods and circumvent prevention systems. The rich seam of data held by organisations operating in the wealth management and pensions sector, together with an assumption by the threat actors that they will be well resourced and/or insured, makes them an increasingly attractive target.
What Can We Do?
All organisations involved in the wealth arena need to work on the assumption that they will be targeted – it is a case of when not if. Prevention, planning and preparation in respect of an organisation’s own areas of cyber risk are of course essential but, just as importantly, the same considerations apply in relation to all the third-party organisations which any entity may be involved with up and down the financial services and pensions supply chain. The Capita incident shows just how far the contamination and ripples of a successful attack can travel. Contractually enforceable security requirements at the point of initial engagement are important but a right to regular information and audit is also key.
The fact that an administrator (the data processor) has caused the loss of a pension fund’s (the data controller) customers’ data does not absolve the pension fund of liability. Regulators, including TPR and the ICO, will expect to see proper risk assessments being carried out and pertinent information about policies and practices being requested, and followed up on, by all stakeholders.