Cybersecurity Breaches at UK Pensions Soar More Than 4,000% in 1 Year

Cybersecurity breaches reported by British financial services companies more than tripled in the 12-month period ending June 30, with the pension sector reporting the biggest increase at 4,000%, according to research from international law firm Reynolds Porter Chamberlain.

Citing data from the British Information Commissioner’s Office, the law firm stated that U.K.-based financial companies reported 640 cybersecurity breaches between June 30, 2022, and June 30, 2023, up from 187 during the same period from 2021 to 2022. Among those, pension plans reported to the ICO a total of 246 cybersecurity breaches, up from just six during the previous 12-month period.

According to RPC, hackers go after pension plans because they hold an enormous amount of valuable, sensitive financial data, which makes them potentially vulnerable to ransom demands. The firm added that pension plans—trustees in particular—can be held liable for a failure to manage digital risk appropriately, noting that The Pensions Regulator holds trustees accountable for the security of a plan’s information and assets—even if they are outsourced.

“Cybersecurity is fundamental to pension scheme trustees’ legal duties,” Richard Breavington, partner and head of cyber and tech insurance at RPC, said in a release. “It’s a cause for concern that so many financial services firms, especially pension schemes, have suffered some form of cyber-attack, resulting in a data breach.”

Breavington added that “the assumption might sometimes be that major financial services businesses have robust cyber defenses so that they are impervious—that certainly hasn’t stopped hackers continuing to try.”

According to the U.K.’s Department for Science, Innovation and Technology, because the most common cybersecurity threats are relatively unsophisticated, government guidance advises businesses and charities to protect themselves using what it calls “cyber hygiene” measures. This includes a broad range of measures, the most common of which are updated malware protection, cloud back-ups, passwords, restricted administrative rights and network firewalls.