'Northern Ireland police leak highlights importance of boosting cyber security'

The shocking, if self-inflicted, data breach of the Police Service of Northern Ireland, putting 10,000 employee Iives at risk, is a siren wake up call for every UK citizen and institution.

From the NHS to academics, everyone has been far too slack to upgrade their security protocols.

Criminals, terrorists and foreign powers do not just home in on big institutions and government. They are out for you.

IFAs are prime targets. Be on your guard, criminals exploit every weak link. They will use you as a conduit to the ‘big guns’ – banks and insurers.

As far back as 2017 Amyas Morse, then head of the National Audit Office, stressed: “For too long, as a low value but high volume crime, online fraud has been overlooked by government, law enforcement and industry. It is now the most commonly experienced crime in England and Wales and demands an urgent response."

Even years on, there has been no fundamental change; it seems a real life version of the famous play Waiting for Godot.

Even the toughest sentence is no deterrent. The likelihood of getting caught is as remote as winning the lottery.

In November 2022, the NAO noted: "Fraud was the largest category of crime in England and Wales in the year ending June 2022, amounting to 41 per cent of all crimes against individuals, compared to 30 per cent in the year ending March 2017.

"The cost of fraud to individuals is £4.7bn – but we can’t even shine a light on the cost of fraud to businesses as so far there is no accurate aggregate data.”

Shockingly, the NAO points a finger at the Home Office, accusing it of “a limited understanding of who commits fraud and those who enable it by their action or inaction.”

Officialdom from police to judges seems hamstrung. Some believe judges do not issue harsh enough sentences. In any case, even the toughest sentence is no deterrent. The likelihood of getting caught is as remote as winning the lottery.

That is not hyperbole. As recent a victim of attempted ID theft myself, I dutifully tried to log this attempted fraud on me.

Despite HMRC’s claim that registration is no endorsement, to the ordinary person on the street, it is a seal of approval.

Superficially, I suffered no actual loss. Action Fraud's website was lukewarm in encouraging people in my situation from even logging this type of attempt.

Yet my attempted ID theft felt like a violation. I lost a day's fees; as a freelancer, no work means no pay and no revenue, however minuscule, that day for me from HMRC (as it took a while to grapple with call centres to secure my data). Their time in clearing up the mess is also unrecorded in official data.

Official figures are vastly underestimating the extent of fraud. That is also the conclusion of the NAO, at least in its seminal 2017 report.

It estimated that less than 20 per cent of incidents are reported to the police. Why bother, when bodies like Action Fraud do not promote the reporting of every minor transgression?

Easy pickings

IFAs know well that the lowest hanging fruits to fraudsters are pension pots.

Indeed, Gary Evans, now retired and then head of third party administration at Hymans Robertson, told me a while back: “Before 2006 [a meaningful investigatory process] changed to one of HMRC registering any scheme that asked [a rubber stamp] from 2006. Effectively HMRC stopped checking for fake schemes and became a rubber stamp for any scheme.”

Even though HMRC introduced more stringent checks in 2013 and 2014, essentially to protect tax relief rules for pension schemes (including ‘fit and proper' checks of pension scheme administrators), too many pension frauds are still occurring. 

HMRC is, in my view, not helping. Its apparent all-too complacent attitude is at odds with the more forensic approach of The Pensions Regulator.

HMRC disputes this: “It has never been our role to regulate pension schemes. Schemes register with us for tax purposes only and registration is not a form of endorsement.”

Speaking to FTAdviser, one of pensions most experienced experts Lesley Carline, director at KGC Associates and immediate past president of the Pensions Management Institute, points out that "There is an assumption that if it's registered for tax, then its bona fide. This makes pensions vulnerable to fraud.”

Reform is slowly coming with the economic crime and corporate transparency bill. But what tardy progress.

Despite HMRC’s claim that registration is no endorsement, to the ordinary person on the street, it is a seal of approval that everything is above board.

Should HMRC allow its good name to be associated even at one step removed with fraudulent schemes? 'No', is the only answer.

Clearly HMRC is not getting the message across that its registration role is simply for tax relief purposes and far from any guarantee that your money is safe .

Be on your guard. Carline so rightly stresses: “Trustees need to be aware of the connectivity which makes them vulnerable in our digital lives. For example, if there is a cyber leak it might be at the bank account level not the administrator.”

It is all so easy to steal. Not just in pensions but in all types of fraud. Anyone can set up a limited company with the most cursory of checks. All you have to do is just pay a £12 incorporation fee, and with ‘off the shelf’ companies, you can get a certificate of incorporation within hours. No checks at all.

Reform is slowly coming with the economic crime and corporate transparency bill. But what tardy progress.

Pension fraud and online cyber attacks will rise in tandem while easy pickings remain. Stay one step ahead of these criminals or risk losing everything.

But IFAs can’t stand alone. They need tougher laws, motivated police and co-ordinated government: do the Home Office even talk to HM Treasury and other departments on this topic?

Cyber security is not just for IT nerds. It is the concern of us all, from financial titans to high street minnows, and of course the government too. Our very prosperity and much more is at risk if we ignore this vastly underrated threat.

Tragically, as the Northern Irish police data breach shows, poor security procedures in your office can even be a potential risk to life and limb. Yet complacency is all around us.

Could you live with yourself if your clients face financial ruin because you failed to ratchet up your digital defences a notch or two today?

For IFAs, the National Cyber Security Centre is an excellent source of information and advice.

Stephanie Hawthorne is a freelance journalist