CYBER SECURITY AND THE PENSIONS INDUSTRY Karen Tasker 1 February 2018

Transcription

1 CYBER SECURITY AND THE PENSIONS INDUSTRY Karen Tasker 1 February 2018

2 What s the relevance for pension schemes? What do cyber risks look like? What should Trustees be doing?

3 Cyber risk means any risk of financial loss, disruption or damage to the reputation of an organisation from some sort of failure of its information technology systems. Institute of Risk Management 11 June 2014

4 World s biggest data breaches 10 years ago accidentally published hacked inside job lost/stolen device or media Poor security Source: Information is Beautiful

5 World s biggest data breaches now 2017 accidentally published 2016 hacked inside job lost/stolen device or media Poor security Source: Information is Beautiful

6 Current IT trends Big Data & Analytics Increase in... Wearable Technology Connectivity Access points Remote access Mobile Working Personal information Data sharing The Cloud Internet of Things Internet Transactions Social Media

7 Cyber crime is increasing why? The inherent risks Increasing network connections, dependencies, and trust relationships Increasing sophistication of attackers but technicality of perpetrators is decreasing Increased processing power and decreasing cost of attack Staff have the information the attackers want so they need to be educated Growth of the dark web as a source of attacks and as a market for information Rapid growth of social media Under reporting of cyber crime Lack of understanding of the entity s cyber footprint

8 Cyber footprint Services provided ITC Services consumed Entity Cyber boundary Cyber entity 4 boundary Real cyber entity 1 boundary Services engaged Third Parties Cyber boundary entity 3 Cyber boundary - ITC Cyber boundary entity 2 External threats Services engaged Cloud

9 Your data risks Third parties Your Data GDPR impact

10 Pension schemes are likely to be attractive targets to cyber criminals, because they hold a lot of personal employment and financial data. Unlawful access or attacks could be serious for a scheme and its members, and could in the end result in identity theft, loss of data or even loss of financial assets. It is trustees who are the data controllers under the Data Protection Act, so it is the trustees who must make sure they have all the proper protocols and policies in place, and that any third parties they use also have the appropriate controls in place Cyber security should be a key risk on risk registers. Lesley Titcombe September 2016

11 The challenge Cybercrime has surpassed all other forms of crime in the UK cyber enabled crime 36% and computer misuse 17% (NCA s Cyber Crime Assessment 2016) The average cost of a data breach in 2017 is $3.62 million dollars (2017 Ponemon Cost of Data Breach Study) 53% of companies are ill prepared to deal with a cyber attack in the US, UK and Germany (Hiscox Cyber Readiness Report 2017) 75% of data breaches were by external actors but 25% were perpetrated by internal actors. (Verizon Data Breach Investigations Report 2017) There were approximately 5.6 million reported incidents of fraud and cybercrime in the UK in 2016 (UK Office of National Statistics) Within the last year, 65% of large UK firms detected a cyber security breach or attack. (UK National Crime Agency and National Cyber Security Centre, March 2017) Human error is involved in more than 95% of security incidents (IBM s 2015 Cyber Security Intelligence Index report)

12 Types of cyber risk safety Phishing and whaling Social engineering Online safety Personal information Social media BYOD Removable data Information handling Remote working Mobile working Password safety

13 Attack categories Sources of cyber attack The casual, the curious and the mischievous The social engineers Insider attacks Hacktivists and cyber terrorists Cyber crime syndicates, fraudsters and thieves States or companies

14 The casual, the curious and the mischievous

15 The casual, the curious and the mischievous Green Building at MIT

16 The social engineers Scraping social networks Gaining access to buildings tailgating Calling help desks Masquerading as company officials Bin dipping Top secret deals

17 Insider attacks Abused his position as a senior internal auditor at the firm's Bradford head office. Sent information about staff salaries, bank details and National Insurance numbers to several newspapers Posted data on data sharing websites The data breach cost the company more than 2m to rectify.

18 Cyber crime syndicates, fraudsters and thieves Phishing Targeting many individuals, mainly with blanket e- mails, and hoping that some will follow links, open attachments, reply with information or transfer funds Whaling Targeting a small group of individuals with significant data access (often disguised as a manager/ceo) and requesting personal information, bank details changes, or a large funds transfer

19 Example Gained entry into an employee's computer through 'spear phishing infected it with malware called Carbanak. Sent authentic-looking s from his account that other staff clicked on, spreading the malware through the bank. Found the administrator account for the CCTV equipment They used the CCTV to record everything that happened on the screens of staff who serviced the cash transfer systems. They mimicked the activity of these staff activity in order to transfer money out.

20 The challenges the risks for pension schemes Potential risks Lack of recognition/knowledge of data held Staff Complacency Poor internal processes Lack of investment and training Falling behind the curve Potential results Loss of reputation Breach of Data Protection Act GDPR brings significant fines for loss of data Loss of confidential information Loss of operational systems Loss of members money pots or pensions

21 What do Trustees need to do? Translating cyber risk management into practical next steps: make this a board level issue; consider your risks: both your people and third party risks; consider data scrubbing; implement good IT general controls in depth; review your policies and procedures; ensure you will be GDPR ready by May 2018; provide rolling education and training e.g. on the use of social media; foster a no-blame culture; keep your firewalls, operating systems, virus engines up-to-date; password protect the Wi-Fi; have a formal Incident Management Plan for when the worst happens; consider compliance with Cyber Essentials; consider cyber insurance; check physical site controls; review controls against social engineering generally; and penetration tests.

22 Questions for Trustees Areas for consideration: Is cyber security on the risk register and in what guise? Has the risk been appropriately assessed and has it been rigorously tested? Do trustees use portable devices to access board papers? Do trustees use home computers? How secure are they? Have trustees been given sufficient training in order to understand and assess risks? Does the administrator have an internal controls report and does it sufficiently detail IT risk? If a breach occurs, would the administrator have to tell the trustees? What is covered in the contractual arrangements and when were they last reviewed? What controls are in place to check a member s identity when benefits are being claimed? Do Trustees have an Incident Management Plan? Are Trustees in a position to report personal data security breaches to the ICO within 72 hours (with a risk management review)?

23 Cyber Security and the Pensions Industry Conclusions Cyber Security IS affecting the pensions industry It must be on Trustees risk registers as a bare minimum response Education and training is key People are the weakest link Data is a valuable commodity that must be protected

24 KAREN TASKER Partner The UK group of companies and LLPs trading as RSM is a member of the RSM network. RSM is the trading name used by the members of the RSM network. Each member of the RSM network is an independent accounting and consulting firm each of which practises in its own right. The RSM network is not itself a separate legal entity of any description in any jurisdiction. The RSM network is administered by RSM International Limited, a company registered in England and Wales (company number ) whose registered office is at 50 Cannon Street, London EC4N 6JJ. The brand and trademark RSM and other intellectual property rights used by members of the network are owned by RSM International Association, an association governed by article 60 et seq of the Civil Code of Switzerland whose seat is in Zug. RSM Corporate Finance LLP, RSM Restructuring Advisory LLP, RSM Risk Assurance Services LLP, RSM Tax and Advisory Services LLP, RSM UK Audit LLP, RSM UK Consulting LLP, RSM Employer Services Limited, RSM Northern Ireland (UK) Limited and RSM UK Tax and Accounting Limited are not authorised under the Financial Services and Markets Act 2000 but we are able in certain circumstances to offer a limited range of investment services because we are members of the Institute of Chartered Accountants in England and Wales. We can provide these investment services if they are an incidental part of the professional services we have been engaged to provide. RSM Legal LLP is authorised and regulated by the Solicitors Regulation Authority, reference number , to undertake reserved and non-reserved legal activities. It is not authorised under the Financial Services and Markets Act 2000 but is able in certain circumstances to offer a limited range of investment services because it is authorised and regulated by the Solicitors Regulation Authority and may provide investment services if they are an incidental part of the professional services that it has been engaged to provide. Baker Tilly Creditor Services LLP is authorised and regulated by the Financial Conduct Authority for credit-related regulated activities. RSM & Co (UK) Limited is authorised and regulated by the Financial Conduct Authority to conduct a range of investment business activities. Before accepting an engagement, contact with the existing accountant will be made to request information on any matters of which, in the existing accountant s opinion, the firm needs to be aware before deciding whether to accept the engagement RSM UK Group LLP, all rights reserved