National advice firm, Succession Wealth, has launched an investigation after falling victim to a cyber-attack.

The firm, which was bought by Aviva in March 2022, was alerted to the potential cyber-attack on 8 February.  The firm offers advice on retirement and savings options to approximately six million customers.  Of these, four million are workplace pension customers and approximately two million are individual pensions and savings customers.

The firm said it communicated with clients and employees who might be affected by the cyber-attack as soon as it had verified key details and had firm evidence that an attack had occurred.  In a statement released to the press, the firm said that, “Succession Wealth will ensure that clients will not suffer financial loss if their personal data held by Succession is misused as a result of the attack.”

Cyber resilience

The cyber-attack on Succession Wealth as well as the recent large-scale ransomware attack on Royal Mail reiterate the importance of pension schemes, financial services firms and advice firms prioritising a strong cyber resilience response plan.

Aimed at trustees, the Pensions and Lifetime Savings Association published a helpful guide in June 2022 called “Cyber Risk Made Simple Guide”, ahead of the Pensions Regulator’s Single Code of Practice coming into force.  It sets out key actions that trustees should consider in preventing a cyber-attack from occurring, including:

  • understanding the vulnerabilities that exist within the scheme through carrying out a cyber resilience assessment;
  • regular training on the nature of cybercrime and how it might impact on the scheme, the members and the employer;
  • implementing key policy documentation which sets out clear expectations for the trustees in relation to cyber security – notably an incident response plan, a cyber resilience policy and a cyber hygiene document; and
  • testing the scheme’s incident-readiness on a periodic basis, to ensure that it remains suitable and broadly familiar to the trustees, the pensions team and the employer.

As well as preventative measures, trustees should also consider their reactive measures, i.e. what to do if a cyber-incident does occur.

Trustees might consider instructing a team of specialist advisors who are “on call” to assist in the event that a cyber-attack occurs and who are available to take action immediately to deal with it. Trustees should also consider how they might communicate any incident to members, as well as to the wider press.

Burges Salmon can offer both preventative “blue hat” and reactive “red hat” services to help trustees to both prepare and respond to a cyber-attack if their scheme is targeted.  If you would like to hear more about either offering, please contact Samantha Howell.

This blog was written by Scarlett Sullivan.