‏‏‎

Scottish Widows

October 07, 2020

Siobhan Barrow:  Good morning everyone and thank you for joining us today.  For those of you that don’t me, I'm Siobhan Barrow, Head of Intermediary Distribution at Scottish Widows.  Today's session is such an important area for all of us, with the recent announcements advising everyone to work from home where possible for the foreseeable future, cybersecurity is becoming an increasingly important factor for all businesses going forward.  So we hope that you find information provided today in today's webinar, extremely useful.

                                Now today, I'm thrilled to be joined by my colleagues, Alec Howard, Gareth Thomas, and Murray Jackson, who are all part of our cybersecurity teams across Lloyds Banking Group.  Tony Clark, one of our regional development managers, will also be hosting the Q&A section at the end.  So please do use the Ask a Question function to submit your questions at any point during the presentation.  Tony will keep a lookout for some key themes and he can put those to the team towards the end of the session. 

                                Now, the webinar is being recorded so it will be available for you to share with colleagues, et cetera, after the event, and you can use the same link that you used today.  Now, we've already had some amazing topics on our expert series with some of the most popular additions being a brilliant session regarding the economic state of the nation with Paul Johnson from the IFS and an overview of best practice supporting vulnerable customers with Jan Holt.  We've got lots more to come before the end of the year, including an interview with the broadcaster, Dr. Mike Mosley, which will look at the benefits of a healthy lifestyle for combatting illnesses, et cetera.

                                So do head over to our expert series web page, where you'll see all of the recordings from our previous sessions, but it will also give you an insight into what's to come.  Now, as I mentioned right at the top, it's a very timely topic to discuss cybersecurity, so I don’t want to waste any further time.  So let's get started.  Alec, over to you.  Thank you.

Alec Howard:      Thank you Siobhan and good morning everybody, and thank you for joining today for what I hope will be a very informative and enjoyable event, and I appreciate everybody giving up time in your busy diaries to attend this.  So brief introduction on myself. I head up the Scottish Widows division of the security team.  In a nutshell, my job is to ensure that our parent group, Lloyds Banking Group, security policies and requirements are in place to help manage and ensure security risk is minimized to Scottish Widows and our customers.

                                So personally, for me, very interesting, varied, with rarely a dull moment in the day and particularly, as Siobhan said, COVID-19 has made this a really interesting dimension to manage these risks at the moment, and particularly some of the trends and themes we've been seeing as a group. Phishing emails have gone through the roof earlier in the lockdown period this year.  So never has this kind of topic been more critical than now. 

                                I'll just hand over to my colleagues to give a quick introduction on their role in the group.  Gareth, I'm going to hand over to you.

Gareth Thomas:  Good morning.  My name is Gareth Thomas.  I work for the Chief Resilience and Security Office in Lloyds Banking Group and I'm responsible for helping colleagues understand the cyber threats that affect them, and their families, and the group, and to protect our customers as well from cyber and physical security threats.  Murray, do you want to introduce yourself?

Murray Jackson:  Yes, sure. Thanks, Gareth.  Good morning, everyone.  My name is Murray Jackson.  I'm an intelligence manager within the Lloyds Banking Group Chief Resilience and Security Office, working within the strategic intelligence team.  Strategic intelligence is about highlighting medium to longer-term threats that could impact any part of the group and escalating them to the correct area or stakeholder. These could impact decision making or just inform the latest understanding of a threat. 

                                I'm also joined by my colleague, Darren Morrissey, who leads the operational intelligence part of our team.  So operational intelligence is much more reactive and involves daily scanning of intelligence sources and news to identify potential immediate threats to Lloyds Banking Group and to escalate them, often generating short-term actions to address any new or evolving threats.  So Alec, back to you.

Alec Howard:      Thank you, Murray.  Thank you, Gareth.  And just before we get started, I will caveat this presentation a little bit.  This is general limited guidance that we're giving you here today, guys.  So it isn't a replacement in thinking that this covers absolutely everything.  You are recommended to speak to your professional IT provider or internal IT teams within your business.  So however you're doing that.  I know we've got a very varied audience on the call but it’s general guidance.  This doesn’t cover absolutely everything but it’s really good food for thought.  You can think ‘have we got some of these controls and processes in place to protect our business?’.

                                In terms of the agenda of what we're running through, we'll cover the typical ways attackers get in to try and attack a business and we'll go into some more specifics of those particular trends and attacks that they might do.  So that’s covering website attacks, business email compromise, home and mobile working, social engineering, what could happen, malware and ransomware, and then cloud risk and then we'll finish up with some real examples where this has gone wrong for businesses and why this is all so critical.

                                But before we get started, I'm going to start with a little poll to get people thinking.  So how long do you think that your business would last without your IT systems?  We're going to give you four options.  One day, one week, one month, or a year.  So we're going to push the survey out to you now.  I'll give the people about 30 seconds just to think about that.  Hopefully that's come up for everybody.  Quite interesting.  I'll give people another 15-20 seconds.  All right.  I'll pause there and then I'll send the results so you can see.  Hopefully this is coming up for everybody. 

                                So what's come back for most people?  A day, a week.  There is no right or wrong answer on this, I want to say. But if you are answering in the one day, one week category, some of this guidance, and things to think about today will be really, really critical.  This is to make sure that the systems that you use and rely on for your business are absolutely never out for longer than a day or a week hopefully.  So no right or wrong answer on that one. 

                                Going to a second poll.  How long do people think it would take a cybercriminal to crack a password of six lowercase letters?  Again, we've got four options for you.  One minute.  One hour.  One day.  Or one week.  So I’ll move onto that one and hopefully you'll be getting the poll coming up now. All right, a clear winner.  I'll just send the results to you all now.  Most people are saying a minute or an hour, okay.  It's a bit of a trick question, this one actually.  The correct answer is actually four milliseconds.  So Gareth, do you want to give us a bit of an explanation of how that’s possible?

Gareth Thomas:  I know, it's scary, isn't it?  The short answer is maths but I feel I should give you a little bit more depth than that.  So when websites save passwords, you setup an account with a website and they save that password, they save it using a one-way encryption method.  Now, very, very frequently, websites are breached and those encrypted password lists are stolen.  The criminal will then try a number of different passwords to see if they can run it through the same one-way encryption and match it to the password that’s stored in the list. 

                                Now, the slowest way to do this is what's known as brute force, where they literally try every possible combination of letters and numbers until they match the password that you've got.  That’s the slowest way to do it.  Now, think of it this way.  If I had a password that was only one digit of numbers, then that would give ten possible combinations and you can imagine how quickly we could crack that.

                                If we had two digits, well, then that’s 100 combinations and that’s going to be a lot longer and three digits, of course, is 1,000 possible combinations.  So you can see how very quickly and exponentially, it gets harder and harder to guess all of the possible combinations of a password.  So a six-digit password is really not good enough anymore.  It's just not up to the job.  It can be cracked in four milliseconds.  But if you went for something like a 15-digit password and you used uppercase, lowercase, numbers, and symbols, then you're really talking something around the few thousand years to try and crack it using a slow attack. So that’s where you want to head.  We're looking for 15 characters mixed case. 

Alec Howard:      Fantastic.  Thanks, Gareth.  This is a key way that attackers are looking to get into businesses now.  So maybe if you're sat there thinking, ‘I'm using quite a short length password for my business at the moment or my main Windows logon account’, or on your website, maybe you might think to go in and change that to a slightly longer and stronger one straight away.

                                Right.  So first-term section of the presentation, ‘how do attackers get in?’.  This is not an exhaustive list I'm going to go through but there are four key ways an attacker would typically try and attack a business to get a hold of data or information to commit fraud.  For the first one; vulnerabilities in your website.  So for example, this could include exactly what we've just said there with password requirements.  Maybe a website has been designed and coded where actually it only needs a very minimum length password of six characters or eight characters for example.  That's just going to enable someone to do those types of brute force attacks that Gareth said.

                                It could be that the website is not secure and encrypted but that would enable somebody to monitor the website traffic, for example.  It could be that somebody would look to do something called a DDoS attack (Distributed Denial of Service).  A website attacker may flood it with traffic just to bring it down.  That will usually be followed by a ransom demand.  We'll go into that in a bit more detail in a second.

                                The next one; flaws in software.  So again, you might be using pieces of software such as your CRM (Customer-Relationship Management) systems that come from IT providers. Now, providers of these software or your main IT provider more often than not can offer patches in those software and updates to make sure they are protected against these types of malicious attacks, being taken advantage of.  So what it might allow somebody to do if it has got a software flaw, it might allow an attacker - if they get through things like firewalls that you might have in place - to get into that software and start moving around.  And they'll be looking for data.  Can they make payments, change details, that kind of thing. 

                                The next thing; people.  This is a key one and it's often the first line of defence for organisations, but criminals will look to take advantage of people as a way to get into your business, to get hold of data or money.  So again, that could be done through coercing insiders in an organization.  It could be offering cash for data. It could be phishing emails. I’m sure people have heard that, where an email comes in looking as if it's from another company or a real company, but actually it's giving you links to a fake website to try and harvest credentials or it could be attached with a file, which could contain malware.

                                And that takes us onto the next one, the most common and probably an increasing trend of what we're seeing as an organization, but it's usually the malware or ransomware attachments in emails.  But it could also come through websites or even mobile device messages.  So these are little software packages that could be an attachment that then are getting into devices that you're using or your network, for example.  They will run scripts and codes designed to do things like encrypting all your files and data, or send data back to the criminals.

                                So for example, Jeff Bezos, the Amazon CEO, he fell victim to something like this, through a Whatsapp message recently.  So it's not just your emails these days.  It's even through smart devices and messaging software..  There's a common theme here I would say.  All these types of attacks will be used to try and generally steal data from you, your clients, your customers, your members, and probably then to commit fraud.  It's all with the intent of making criminal gain.

                                So there's rarely people these days doing it purely for fun, as maybe it might have been seen 15, 20 years ago.  These are often organised criminal groups and some of them could even be backed by nation state attackers.  So Russia, China, North Korea intelligence. I know Murray and Darren would be able to back me up on this, that there is evidence that these big corrupt countries, potentially, are sponsoring groups to try and do these attacks constantly.  That way they can gain, make money, get data that can be useful.

                                And what I would say generally is, ‘would I be attacked…we’re maybe a smaller business and not high profile’ but security for obscurity is not the strategy.  We have seen circumstances with IFAs in our business. Attackers will go after anything they can find and monetize, generally speaking.  So big, small, personal, individual, they'll go after it.  If there's money to be made, they will do it.  These are organised groups.  They're going as far as to start deploying artificial intelligence and machine learning now to gather this data across the net and find potential targets. 

                                Again, like Gareth said with the passwords, if websites have been hacked, it's generally available data for sale on the Dark Web, as people may have heard about.  The Dark Web is a secret or hidden part of the internet that then will be there for people to try and use this data to basically go after individuals and businesses to make money.  There's a common theme there that each of those criminal groups will do.

                                I'll move on then to the next section; website attacks.  We'll go into this in a bit more depth.  So there's a range of different attack methods here that attackers may do.  So the first one, like we mentioned, it could be that your website is deploying (if you've got one) a weak password strength requirement.  So it could be used to undertake a brute force attack, like Gareth said, just flooding website logins with a variety of different logins and password credentials, trying to get in, enter into a website. 

                                And thinking back to that, if your website is there with only six lowercase characters, you are potentially vulnerable to your website being hacked, and unauthorized individuals getting in and moving around in your network, your systems, looking for data. 

                                The next one, websites not being secure and encrypted.  So again, this might enable an attacker to monitor the traffic that’s going through it.  They will then use that to steal data, capture card payment details, for example, if you have that on your website.  You can check if you're secure from this though.  If your website is hosted by a third party provider, for example, just look for the HTTPS in the start of the website URL.  Sometimes, most modern websites are, they have a little padlock symbol by it, for example, to show that it's a secure website. And most modern internet browsers, your kind of Edge browser, Google Chrome, for example, would automatically flag these and state that the website is not secure.

                                Another attack method that can happen, I've already mentioned it; something called a DDoS attack.  So this is where criminals will flood a website with traffic.  They will often use maybe a bot net device to do this in order to bring a website down and make it unresponsive.  So that is then usually followed by a ransom demand from the criminal to say, ‘if you pay us X amount, then we'll stop the attack’.  It's probably more likely an attack on higher profile companies but actually, it could be used as a distraction technique for other companies -- to basically go and do something else.

                                And another final way; it could be defacing a website.  So again, if someone could get in using the credentials to change a website, they may look to change things like contact details on it, change the links to forms that you may have on your website, again, all with the idea of sending data to the wrong place which they can then then use to commit fraud. 

                                So how can you protect yourself from this?  Number one, use a reputable website provider.  There are many out there on the market.  I'm not going to try and run through them all but it's about doing your due diligence.  Make sure they're a good company.  Look at the Ts and Cs that are providing the services they’re offering. 

                                Number two, use strong access credentials.  I can't stress this enough.  So make sure it's a long, strong password to get into the website, ideally using two-factor authentication as well.  So this is where maybe a text message is sent to another device in order to log in, for example, to stop somebody trying to get into the website who is not authorised.  Make sure the website is using technology such as HTTPS.  Making sure that your website traffic is running encrypted traffic. 

                                CAPTCHA, for example.  This is what you might see when you complete a form and then you get a picture with ‘select all the traffic lights’ or, ‘select all the fire hydrants’..  This is designed to stop robots continually flooding and completing forms into your business.

                                And finally, be sure that your website is subject to something called a penetration test.  So again, if you're using a reputable website provider, they may well offer this service for you.  But if they're not, it's recommended.  There's many accredited penetration testers on the market.  They can run tests on your website to make sure it's safe, it's secure, and if there's any issues and vulnerabilities within that, how to close those off and make sure that you are safe.

Gareth Thomas:  Alec, just to interject, I've had a lot of questions coming through about passwords and how to use and remember lots and lots of good secure passwords.  So really simple advice is use a password manager where you possibly can. That’s recommended by the National Cyber Security Centre (NCSC).  Use a password manager.  That will allow you to remember and create unique strong and long passwords.  That is the best advice really.

Alec Howard:      Thank you, Gareth.  Right.  We'll move onto the next section; business email compromise.  This is an increasingly common attack method and particularly, with IFAs - actually intelligence from our organization is showing that this is an increasing trend for committing fraud, particularly on investments and savings products that your clients have, particularly in the IFA population, for example.  So what is this? 

                                Criminals maybe look to impersonate email addresses.  This will be for tricking customers into transferring money to the wrong destination or the wrong account details.  So sometimes, a criminal might be sat there just monitoring, waiting, checking for that moment when a transaction or a payment might be taking place.

                                Or another way, as I mentioned, they’re already in -- they're in an inbox, either through your client, your customer, your member, or yourselves.  So they're monitoring that traffic.  Or they're just sat there looking to harvest data from it.  So again, they're looking at what's going on, the kind of accounts that people have or businesses they deal with, or to build up a profile of you, your business, and what you're doing.

                                So it's increasingly common.  People may hear about it with mortgages and solicitors.  So criminals will often go after that space because, again, it's that classic payment fraud at the moment. The customer might be purchasing a house, transferring deposit to the solicitor.  They'll try and get in there, pretend to be the solicitor for example.  ‘We've changed our bank details.  Can you please send it here?’ and somebody sends their deposit to the wrong place. 

                                So there are lots of technical controls we'll go through but I'd actually say, in addition to those technical security controls, you may want to consider non-technical process things, like use of code word or secondary approval for payments.  Have something you use in your organization to say, actually, during a critical moment where we're sending money around or sending a lot of data around, we're going to use that code word or process that’s only known internally to prevent Frauds. 

                                But what can you do from a technical perspective?  So be wary of phishing emails that you receive.  The keywords we use internally in Lloyds Banking Group and Scottish Widows is ‘think before you click’. So if you have an email, were you expecting it?  Did it come from outside of your organization?  Check the domain that the email has come from.  Is the spelling good in the email?  Is it forcing a demand and a timescale, that kind of thing?  Criminals are often trying to put pressure on people to make decisions quickly. 

                                The next one; use strong passwords and change them regularly.  Or as we've already said, multi, two-factor authentication wherever possible - a lot of websites and accounts will offer this now.  Most domain email providers will say if you want to have a text message go to a secondary device before you log in, that it can help prevent some of this. 

And then training your staff.  I've already covered this one in the main attack methods at the start.  People can be a weakness but they're also your first line of defense.  So ensuring you have cyber security, data security training, especially around phishing is particularly key to try to prevent some of these attacks.

                                Gareth, can you give us any cases where this has been taken advantage of, for example?

Gareth Thomas:  Oh, very much so.  Yes, so there was a very, very famous case highlighted just recently.  You'll find it in BBC News or you can Google for it… but the FBI raided a number of addresses in Nigeria alleging that massive fraud had been perpetrated through business email compromise.  So the FBI said that the email was being intercepted by the criminals between real estate agents, as you mentioned, solicitors, and their clients.  And they were doing it at the point of payment.  So they would be monitoring the communication and at the point the bank details were exchanged, then the criminals would go and intercept that, and change the bank details to their own.

                                And so when people thought they were paying for their houses, they were actually handing over hundreds of thousands of pounds and dollars to these criminals.  In fact, one of the alleged fraudsters was really famous on Instagram and liked to show off his luxurious lifestyle on a daily basis to his 2.5 million followers.  When the police arrested that guy, they recovered $40 million in cash along with 13 luxury cars worth $7 million.  And also, and this is the really interesting thing, the names and addresses of nearly 2 million victims.  So this is industrial scale stuff, perpetrated by gangs that are as big as any company you know, doing this on an industrial basis.

Alec Howard:      Thank you, Gareth.  We are seeing intelligence on this that criminals are targeting the IFA market as well - particularly savings and investment products that you are operating on behalf of your clients, those types of products, it's more of a cash-based product.  So potentially, if you think that a pension product, a life insurance, critical illness product for example, they're going to be slightly more difficult for somebody -- a criminal to encash money out of than something that is an investment product.  That is what they are more likely to go after, so it's being wary around that particular area.

                                The next section; home and mobile working. As Siobhan said at the start, with COVID, I'm sure, many people in our audience today are working from home right now.  I am personally.  I'm sure all of you are.  It's obviously gone through the roof since COVID.  The benefit of flexible, agile life/work balance, for example, but there are risks to be aware of as well that you need to think about. 

                                So typical ways that this could be taken advantage of.  Something called remote desktop protocol.  So this is where criminals may convince people to allow you to take over your device.  So it might start with what's known as a vishing attack where a criminal phones you.  They’ve maybe got your phone details from another data breach that’s occurred.  They'll ring up pretending to be an IT support line or somebody from Microsoft/Google and say ‘will you allow me to remotely connect to your desktop’. And at that point, if you've left websites logged in and things like that, they'll go after everything they can do.

                                The next thing; USB sticks.  These are an incredibly important method for criminals to use, that you need to be careful of.  Criminals will sometimes give malicious removable devices to people.  They'll have malware/ ransomware installed on them.  The moment you put them into your device, it's going to deploy that malware onto your machines and into your network potentially.  They've designed code to spread as much as they can within your device or network.  It then might lock down all of your files, all your data, in demand for a ransom payment or it's sending data back to a criminal.  And it will happen in the background, so you may not even be aware.  So we would recommend that you don’t insert USBs into your machine unless you're sure of where it's come from.  Be wary of free trial software that might be online.  Make sure it's a genuine and reputable provider that you're aware of.

                                Another way; weak public Wi-Fi connections.  So I know I've seen Gareth actually do this at events I've attended.  It's pretty easy to create fake public Wi-Fi networks.  These are insecure.  People connect to them.  So often, if somebody is in Starbucks or the train station, they'll create a network.  It will say Starbucks free Wi-Fi but it's not really.  It's completely insecure.  Criminals will then use that to monitor the traffic that’s pouring through it, looking for credentials or details, any sensitive data that they can put to their gain.

                                So how can you protect yourself from this?  One, ensure you regularly update your device with the latest patches, like we said earlier.  This will stop those particular vulnerabilities, particularly a remote desktop protocol, being taken advantage of.  Avoid using public and free Wi-Fi connections if you can.  So it's better to maybe try and use a 4G connection, My-Fi devices and things like that. But generally, use secure Wi-Fi connections that require a password and then the traffic through it is encrypted. 

                                Providing your staff with dedicated work equipment rather than using their own, if possible. Sometimes that’s not the case but if you are giving staff their own devices, there's lots of different ways you can do that securely rather than allowing them to download data onto their own device.  You can also, working with your IT provider, make sure that USB sticks are actually blocked.  There are software packages like McAfee, which can do that for you to make sure that if the USB stick is plugged in, it will be blocked, for example. 

                                When staff are working from home or in public places, just making sure it's away from open windows and doors. You'll often get low-level criminals who will take opportunistic chances if they see an open window and there's a laptop right next to it.  They'll just sit there looking at the screen, trying to see what they do.  So again, things like privacy screens on devices are very useful and a way of stopping that potential way of your clients' data being stolen. 

                                And finally, as I've said before, two-factor authentication for logging in.  But also something called a secure VPN, so it's a virtual private network on connections.  Again, there's lots of different solutions on the market out there but this means that traffic - even if you did connect to a public Wi-Fi – would be encrypted as it flows through.

                                Gareth, we've got a lot of colleagues in Scottish Widows, don’t we, working from home at the moment.  Can you run through some of the guidance we've given to colleagues beyond what we've done here?

Gareth Thomas:  The advice that we give to colleagues is always fairly simple.  It's the little things that you can do to make a big difference. So the first is make sure your workspace is safe and professional.  That’s important obviously because you don’t want daytime TV blaring down your phone whilst you're trying to sell products.  But also, keep yourself away from windows and avoid being overheard.  It's easy to work with a window open and your next-door neighbour is catching everything that you say and popping it on Facebook.  So we want to avoid that.

                                Only use the IT that we provide.  That’s the other key message.  Because people are always tempted.  They think, I'm working at home, so why can't I use my home laptop or my home computer.  That’s not a good idea.  The laptops that we provide for our staff are really carefully secured and we make sure that they’ve got all the latest patches and all the good stuff on there.  So we always tell our staff, please don’t be tempted to use your home devices.  Don’t email stuff home or use your home software and please don’t use your personal printer.  So just use what we provide to you because we know that it's secure and we're looking after it.

                                We also say lock your PC when you're not in front of it because you just never know who's wandering around your house.  We have people that live in shared houses.  We don’t know who's there.  It may be that you have staff, or cleaners, or people that are around your house.  So if you're not in front of your computer, lock it.  Use the Windows key and L at the same time and that will just lock it.

                                And then when you're finished for the day, put it away and put the papers away, and just keep them all neat and tidy.  And then you know that there's no temptation for people to oversee things.  And of course, just because we're at home, it doesn’t mean that we shouldn’t maintain the great habits that we always use whether we're in the office or not.  So as we mentioned lots and lots, strong and unique passwords.  Make sure that you handle data correctly.  Encrypt it when you need to and always, always, of course, be careful of phishing emails, which are a major threat and I'm sure we're going to talk about later.

Alec Howard:      Thank you, Gareth.  Right, the next theme then; social engineering and your online profile. We kind of touched on this a little bit already but criminals will increasingly use what's called your digital footprint and that’s how they can start potential fraud or attack on you or your business.  So digital footprint - what do I mean by that? It's the information you've left on the web about you or your business.   

                                And criminals are using multiple techniques to gather this data.  So they'll look at social media, LinkedIn, Facebook, text messages if they’ve got access to your device.  I'm always very wary, I have to say myself, if I see these kind of posts on social media that will say ‘fill in this form, what's your favorite holiday location, what's your favorite football team’.  Why are people doing that?  Well, it's generally to try and gather data that might be a password, a credential for them to get in.  So be very, very wary about what information you leave on the internet, on public forums, social media because it can be used against you to try and access your systems, commit fraud, impersonate you or your business and commit identity theft. 

                                What do we say to our colleagues and staff, and what should you be thinking about to protect yourself and your business?  So ‘think before you click’ on any messages that you receive that are not expected or do not feel right.  Someone might be trying to gather more data about you to commit that type of fraud, so limit what you post about yourself on social media. 

                                You may see things like privacy settings on your accounts for these websites.  It's thinking about making sure it's limited to just your friends and connections only.  Don't be putting posts out there, which are open to all and ‘public’.  People on LinkedIn will often say ‘I'm the database engineer at IBM’. Okay, that’s giving a criminal a potential easy target that they want to go after because you're revealing too much about yourself.  So it's not to say that staff and colleagues can't go on these sites. Absolutely not.  But just think and be careful about what you're putting on there because it can be the start of a potential attack.

                                And then finally; search your name.  Put your name in Google, or Bing, or something like that and when you search yourself, what can you find?  And if there's anything you're not comfortable with or it gives a little too much away about yourself or your business then it's a good step to try and limit that audience, go onto those websites, delete the data, or limit the audience. 

                                So Gareth, any examples that you could give us where this is being used to a criminal's advantage, for example?

Gareth Thomas:  We've had a few instances recently of staff being called out of the blue actually on their personal mobiles, which is quite interesting.  So somebody, somehow, has managed to find a personal mobile link to a group employee.  And the phone calls say things like ‘we're from the IT support team and we can see that your laptop has got an issue.  We need to log into that laptop please and do some maintenance’. And when the caller was questioned a bit harder, it all began to reveal itself as a bit of a scam.

                                We've also had colleagues called on the phone from people saying that they are from HR and that there's been a problem and that they need to come into the office, or they need to hand over the laptop, or they need to do some other option.  And again, colleagues have been wise to these kind of scams and been able to put the phone down and report it to us.  We've also, interestingly, seen phishing emails being sent to colleagues and then being followed up with phone calls.  And that means that while you might spot a phishing email and think, ‘this looks a bit dodgy’. Somebody finds it and says, "Oh no, that was from me.  It's okay.  It's absolutely legitimate.  No, definitely.  I'm from ABC supplier.  We have changed our bank details.  Just click on the link and change your stuff."  But of course, both the phone call and the phishing email are from criminals.  It's quite common to combine those types of attacks and try and fool staff.  So be on your guard.  Have really good processes in place that mean if you do get anything like that, you double-check it.  You call the person back or have processes to double check that what the caller is saying is true.

Alec Howard:      Thank you, Gareth.  Right.  Just to check everybody is still listening - another poll. This leads to our next section; ‘what percentages of businesses have reported having cybersecurity breaches or attacks in the last 12 months?’  Again, I'm going to give you four options; 10%, 26%, 35%, or 46%.  So I’ll just put that survey out and we'll give 30 seconds for people to respond to that one.   

                                Right, I think that’s a good proportion of everybody. Most people went for 46% or 35%.  The right answer was 46%.  That was actually from an Office of National Statistics Survey earlier this year of businesses and it's on the rise.  So basically, put it another way, there's almost a 1 in 2 chance that your business could be subject to a breach or attack within the next 12 months. 

                                So it's on the rise and a particular way and increasing trend we're seeing that happening from is malware and ransomware.  So as I touched on earlier, this is malicious software packages or code that is deployed into your devices, your networks, for example, that is then designed to just wreak havoc and can have an absolutely devastating impact to the businesses. 

                                So there's a couple ways it can happen.  Malware is typically designed to gather and steal data, control devices, capture log-in credentials, which will then be used to go in and complete an attack or a fraud at a later date.  Ransomware, people may have heard of that particular term.  It's the same kind of thing but it's generally where all of the files on your devices, your network and the code that is designed to go through and encrypt it,.  You'll then receive a ransom demand from the attackers of ‘okay, if you want to get all your files and data back, you need to pay money to this location here’.  Typically the demand being in cryptocurrency, something like Bitcoin, which is designed to avoid detection of where that payment has gone and who it's really gone to.

                                We'll run through some real world examples of this later but our intelligence suggests it's definitely on the up.  Again, link it back to the point on nation state attackers.  These criminal gangs that are being sponsored to try and develop this stuff.  Sometimes it's to attack businesses, and money, and fraud, but actually, some of it is also in things like election fraud, or going after the critical infrastructure of countries as well.  Increasingly, countries like Iran, North Korea are doing this.  So it's very real and it's on the up. 

                                How can you protect yourself against this?  Regularly backing up your systems and data.  I can't stress it enough but if the worst were to happen and this kind of thing happened, having a backup and a copy of your systems and data is the best protection and keeping that on a separate network or a separate location, or even better, on an offline device.  If the worst were to happen, at least you can go back to the data you've taken at the last cut. Generally, for an organization like Lloyds Banking Group, we're backing up systems and data multiple times a day.

                                The other bit of that is ensuring you've got the latest security updates and patches on your devices and using a good antivirus product.  So something like McAfee, for example, will sit there scanning your devices, your networks to make sure if any of this code is there, it's designed to detect it, quarantine it, and get rid of it. 

                                Consider purchasing cyber insurance is another way.  Increasingly, companies are doing this.  There are companies out there on the market, a broker like Arthur J. Gallagher, for example, where you can buy insurance against this type of attack.  A word of caution with it.  Make sure you check the conditions of the policy. It will probably require that you are following good security practices in order to benefit from a payout if the worse were to happen and you had disruption to your business or a fine, for example, from the ICO, for that.  It is a good way to potentially mitigate and protect your business. 

                                Be very wary of emails with attachments and links, especially something that’s asking you to click something that creates an emotional response. Those keywords, ‘think before you click’. If you weren’t expecting it, if it's coming from outside your organization, if it's got a demand that you need to open this or provide your details in the next five minutes or otherwise you're going to lose access to your systems, it's probably not real. 

                                And then finally, we touched on it before but people are the first line of defense but also a potential weakness.  Make sure they're trained, particularly on phishing emails.  Within Lloyds Banking Group, for example, we do phishing test emails to our colleagues every month.  Gareth's team actually does that - where we do thousands of test emails to try and test that colleague understanding.  They are harmless but it is a good way of testing if your staff are aware and following what they need to do. 

                                Right, the next section before we get onto Q&A;  Cloud risk.  This is an increasing area.  We're seeing a lot of businesses and companies, including ourselves, are moving data and systems to be hosted on the cloud.  And what do we mean by ‘the cloud’?  I guess that’s a starting point and ‘what is cloud computing’.  A phrase I often heard is ‘there's no such thing as the cloud.  It's just another person's computer’. 

                                Essentially, what it means is that rather than hosting data on your own network, or your own servers, or your own computers, you're basically hosting it with another specialist IT company.  So typical providers of this are Amazon Web Services, Google, Microsoft, as you can imagine.  There are a few other providers out there.  And why do people and businesses look to do this?  It's often cheaper than running your own datacenters.  You won't have the cost of maintaining your hardware or the technical and physical security controls around it. 

                                You may well be considering to do it because of that cost benefit.  I think it definitely is the future of computing solutions but it comes with potential risk, particularly configuration issues.  So this might be - are you responsible for configuring the access control to it, managing those user access permissions for people to get into your systems that you're hosting on there.  And because of that, it can be openly accessible by mistake to criminals.  So you need to be extremely careful before doing it, to make sure that risk is being managed. 

How can you protect yourself and your business?  If you're looking to do this or you have already done it, check the level of service you're paying for from your cloud service provider.  You'll find with companies like Amazon, for example, that they offer different levels of service from just hosting it and you're responsible for everything; to the opposite end of the spectrum where they will configure all the security and do it on your behalf.  So recheck what you're actually getting and what you're responsible for and what they're responsible for.  There's lots of benefits and there's lots of pitfalls if it's done wrong.

                                And then finally; review your responsibility and your liability provisions.  So you'll find those Ts and Cs, the terms and conditions for your cloud service provider. They will say what they're responsible for and if there is any liability should data be lost, compromised, or your system compromised from the cloud. 

                                Right, onto real-life examples of when this has gone wrong and then we'll open up to some Q&A.  So people may have heard of the ICO, the Information Commissioner's Office, and a little something called GDPR or the General Data Protection Regulation, which came into force in 2018.  People mostly remember getting a lot of emails saying ‘do you still want to get emails from us’ and unsubscribing around that time.  It came into force about May 2018 in the U.K. and the European Union.  And whilst the majority of that regulation is aimed at data privacy, so things like marketing consent, marketing preferences, Data Subject Access Requests, Data Privacy Notices, the individual rights of consumers. However it also includes security requirements that organizations need to take.

                                The general wording is you need to take appropriate organisational and technical measures to protect data.  So if you and your business are a data controller or processor, these laws and requirements are applicable to you.  And the ICO can issue fines of up to 4% of your turnover or EUR 20 million for getting this wrong.  So if you have a personal data breach, this can be really painful to a business in terms of that financial hit if it goes wrong.

                                Gareth, do you want to go through these very quickly, some of the real examples?  Do you want to touch on British Airways and what happened to them? 

Gareth Thomas:  They were also fined.  They were fined GBP 183 million and of course, the fine is, I guess, the easy bit to stomach. It's dealing with your customers and the lack of trust that is going to be shown.  So British Airways were fined GBP 183 million because they allowed criminals to scrape credit card details from their payment site.  Now, it's not entirely clear how criminals managed to do this and as you can imagine, British Airways are being pretty cagey about it.  But there is a fair amount of speculation that allowing adverts on the payment page could have been a way in for hackers. 

                                Now, point of sale devices, be them tills or all sorts of different ways of taking payment, are a target for criminal gangs. And some criminal gangs actually specialise in this.  This is what they do.  So as ever, the advice is use a reputable payment service for taking payments and always keep your devices up to date.  So that’s taking the latest updates from the manufacturer that are sometimes called patches.  If you keep your device up to date, then that’s great.

Alec Howard:      Thank you, Gareth.  And another one here, so Travelex.  People maybe have seen this in the news around December last year, January this year.  So what happened to Travelex?  They basically were impacted by a ransomware that impacted their systems and network.  It came in through their website.   A key message is that they did not patch vulnerable software despite advice to do so.  And what happened is that they ended up paying a $2.3 million ransom to a cyber-criminal gang to get their systems back and get their data unencrypted to get their currency online.

                                During that period, they had their staff using pen and paper again to transact those currency transactions for their customers.  So should you ever negotiate with criminals?  It's a tricky one.  They decided to pay out and it got their business back.  Criminals can often demand a lot in things like that.  It's a very tricky situation here.  The biggest thing is that they could have prevented it by protecting and patching their software.

                                Gareth, Saudi Aramco.

Gareth Thomas:  Yes, Saudi Aramco, for those of you who don’t know, is possibly one of the biggest companies in the world.  They are estimated to be something around ten times bigger than the Apple corporation.  And they were compromised, not Apple of course, Saudi Aramco were compromised by a phishing email it's thought.  So hackers planted malware on the network of Saudi Aramco and it was triggered by the hackers during the holy month of Ramadan when the company was at possibly its lowest staffing level.

                                Now, the malware that they installed and executed wiped out 35,000 computers before it then started attacking the company's servers.  The company lost their payroll.  It lost their directories. It lost their shipping databases and it got so bad that they actually took the whole company offline and at one point were giving away their products to random customers just to keep their production facilities working. And it all started from one phishing email and it's estimated to have cost them billions of dollars to put it right. 

                                There's a brilliant podcast all about this story on Dark Net Diaries I think it's called, possibly. I suspect that many businesses that had smaller cash reserves would not have survived this level of attack.  So it just shows how potent attackers can be through just a simple phishing email, which accounts for probably 90% of the start of all cyber-attacks. 

Alec Howard:      Thank you, Gareth.  And finally, Talk-Talk.  So this is a bit of an older one actually back in October 2015.  So it started as a DDoS, a distributed denial of service attack, that was actually the distraction though as it was actually a 20-year-old hacker.  This attacker, he then did an SQL injection attack onto the website, an insecure page, and that allowed that attacker to get through to a customer database; 157,000 customer's data was exposed and that actually included 15,000 bank account details of those customers. 

                                Talk-Talk, had suffered two similar attacks actually on that particular page earlier that year but they didn’t take any action to remove the pages or make them secure.  I don’t think the pages are actually even needed for their business, which is the irony.  And the ICO issued them a £400,000 fine at the time, pre-GDPR.  So I can only imagine what that fine might have been for them had it been a couple of years later. Good news for them was that they only paid £320,000.  They settled early.  They admitted their mistakes and learned from it.  So I think be wary with this kind of stuff. Again, your customers, or your clients, your members can suffer.  But actually, it can hit your business in the pocket as well.

                                The list goes on.  There are countless other examples out there.  And whilst these may all look like big companies and examples we're using, we see it all the time.  Criminals will go after businesses of all shapes and sizes and they'll look to exploit weaknesses if there's money to be made. 

                                Tony, I think that’s myself and Gareth done.  It's just over to you for Q&A.

Tony Clark:          Fantastic.  Guys, thanks ever so much for so much information and so many examples as well.  I've done a few of these Q&As in recent weeks on the Expert Series. This is probably the one that's seen the highest number of questions.  Just as a reminder, folks on the call, we will look to collate the themes of the questions and actually provide some answers after.  There's no way we're going to cover all the questions in the nine minutes we've got left.  So we will look to do that.

                                So I've got a few that you guys can decide, I guess, who is best to answer these with the themes coming through.  So with so many people working from home now, a couple of questions around home routers and personal printers.  How exactly are these items compromised and what can folk do to make sure that their colleagues working from home are staying safe using their personal routers and their personal printers?

Gareth Thomas:  I can take that if you like. So I did answer a couple of questions on home routers and offer some advice there.  So do have a look back in the answered questions.  When you're using home routers, the first and most important thing is to change the default passwords that come with them.  Because when they ship from the internet provider, they're deliberately made easy to set up.  And so they'll come with basic security settings, the absolute essential.  So change any default passwords that are on there.  It's a good idea to change the default SSID.  That’s the name that gets broadcast because that obviously often refers to the type of router and gives any hackers a clue as to what it is.

                                It's really essential to switch off remote management, which would allow somebody on the internet to log into the router if they had the default user name and password.  It's a good idea to turn off things like UPNP and WPS, which are both features to make things really easy for the router to be used but are sometimes used by malware.  If you Google for ‘how to configure my home router to make it more secure’, there's some great articles out there too that will take you through more detailed steps.

                                When it comes to home printers and things like that, as my advice was before, use the equipment that’s provided to you by your company.  And I appreciate that some of you will be providing your own equipment and it's hard to give specific advice on every device. But what I'd say is: consult an IT specialist who can advise you specifically on the right devices to use and how to keep them safe. There are printers that contain, just like your router does, a way to log into the printer.  They have default passwords on them and there's even examples where people can send malicious documents to them and compromise them.  So get specialist advice when it comes to that kind of thing. 

Tony Clark:          Thank you.  That’s spot on.  Another question that’s on a theme around the wonderful world of spam and junk mail as well. One comment made, which I absolutely get is whether or not GDPR has actually had any impact on the amount of junk mail that we appear to be getting.  The wider theme coming through is, are there ways to avoid and reduce the volumes coming through.  And indeed, should we fully delete items that go into spam immediately or do we just let the spam folder do its thing?

Gareth Thomas:  I think my advice on this was very much be careful where you put your email address.  So spam will tend to build up because you've subscribed to lots of things or your email address is out there on the web.  I absolutely understand that it is a necessity of doing business that you give your email address out to people but be careful what sites you put it on because that can be scraped by illegitimate companies that will then start sending you spam.

                                If you do need to subscribe to sites and you want to receive those newsletters, it's a good idea to set up a separate email address, and then you know that whatever comes through there is likely to be subscription type emails and possibly spam.  And that keeps your main address free for doing business.  So keep your digital footprint low and be careful where you put your email address is probably the best way to avoid spam.

                                Having a really good email provider that’s got proper filtering and subscribes to good intelligence sources is also a great idea.  That will lower the amount of spam that you get because it should be trapped by the provider. 

Alec Howard:      Just to add to that Gareth, I would say, whilst companies like Microsoft and Google are taking great efforts to try and block some of these things, and law enforcement is trying to shut down these gangs; the phrase we use is ‘whack-a-mole’.  So the moment you shut them down from sending these kind of junk malicious emails that you don’t want, they'll just pop up somewhere else and do it again. So my advice would be don’t rely on your email provider or your spam filter to do it.  If you don’t think you need it, you don't expect it, just delete it.  Get it off your device.

Tony Clark:          Thank you.  Absolutely spot on.  Thank you.  One question I've got is around the support for security training and actually, I'll happily pick this one up myself around what more is available from Lloyds Banking Group to support people around their cybersecurity.  We've actually got a website, Lloydsbankacademy.co.uk.  Now, I'd recommend that for anyone because that provides support whether you're running charities, business, education -- financial education for children.  There's all sorts of content on that website.

                                If you then extend that out to /learn-for-business, there's lots of content in there around the general running of business, but specifically around the digital aspect and cybersecurity as well.  So take a look.  Lloydsbankacademy.co.uk is a great resource.  But then it's /learn-for-business will definitely take you to more resources that you can share with your colleagues, as well as this call, of course.

                                Guys, a couple more questions for you.  Many of us are getting of ‘an age’, do you have any tips for remembering passwords.  I heard the other day that it's safer to actually write them down.  You've got less chance of them being stolen from your house than you have of having a simple one and repeating the same one over and over again.  I'm not sure that’s the best advice but what tips have you got for remembering them?

Gareth Thomas:  The good news now is we've moved to the point now where we don’t have to write them down and we don’t even have to remember them.  So the advice from the NCSC is to use a password manager.  A password manager is simply a tool that sits sometimes on your browser and sometimes on your device, built-in by Apple and Google into their devices.  Where a password is asked for, it will suggest a password that’s strong and unique and it will then remember that for you.  So next time you come back to that website, it says, right, I know the password for this site and it will submit it for you.  So you don’t have to remember them all.  They're all strong and they're all unique, which is brilliant.

                                Now, clearly, what's very important is that we have a very strong password for our password manager. Now, often, I get asked does it not increase the risk, having all my passwords in one place.  There is always a balance of course, but the NCSC does strongly advocate using a password manager. 

                                Now, we're not allowed nor would we suggest any particular product.  I can't suggest an individual password manager for you, nor unfortunately, can we suggest any antivirus products or recommend any individually.  I would say that Apple and Google have them built-in and if you were to use a search engine and look for best password managers, there's a range in there and I notice that the same names keep coming up over and over again in all the different reviews.  So that should give you a bit of a choice there too.

                                I wouldn’t really recommend writing them down unless you absolutely had to and absolutely, please, don’t use the same password across multiple sites.  Because as I mentioned earlier in the call, it's where a website gets compromised and lots of websites have been compromised, and some big ones too, they will steal that password and then routinely, they will try that password in all your different accounts.  So you might lose a password from a shopping site and if you've used that in your email, they'll get into your email and start resetting other accounts or they might try it in your PayPal, your Amazon, your work accounts, and you can only imagine the damage that could be caused there.  So password managers are definitely the way forward. 

Tony Clark:          Fantastic.  Thank you.  And that takes us fully up to time with more questions still coming through.  So as I said already, we will look to get some themes together and provide some answers to the questions.  This call is available on demand from here, just by using the same link that you did to dial in today.  So please feel free to share that with colleagues.  Gareth, Darren, and Alec, thank you so much for your contribution today.  It's been absolutely fantastic.  When we close this call down, there is a very quick survey that we would ask you all to take a quick look at to give us some feedback on your thoughts for today and one or two wider questions as well, to help us with some future planning.  So thank you all very much for your time today.  Have a great afternoon.

Scottish Widows

September 3, 2020

Alison Nicholson: Good morning, everyone. I'm Alison Nicolson, Head of Client Relationships here at Scottish Widows. We're delighted you've been able to join us for our Economic State of the Nation webinar. This is part of our expert series, and I can see from the attendees many of you have joined our webinars before. And we hope those of you who it's the first one will join us for our future topics as we navigate these ever-changing times together. Whether you're an EBC, IFA, or employer on the call, you'll all have been affected both personally and in your business by COVID.

Today, we're delighted to be joined by Paul Johnson, CBE, Director at the Institute for Fiscal Studies. Paul has been at the Institute since 2011. He's a key influencer of U.K. policy as a member of the U.K. Climate Change Committee and of Banking Standards Board. He was previously Chief Economist at the Department of Education; Director of Public Spending at the Treasury, where he also served as Deputy Head of Government Economic Service. It’s really no wonder Paul was awarded a CBE in 2018.

Paul will share with us his thoughts on the economy, the COVID world we live in now, and what it means for pensions.

Throughout the session, please use the "Ask a Question" function. Alexis and Robert , who you see on your screen, will be hosting a Q&A with Paul at the end of our webinar.

So, to kick us off, we would like to hear from you. And Robert, can I ask you to start us with a poll before we hear from Paul? Enjoy the session, everyone.

Robert Cochran: Thanks very much, Ally. As Ally says, I'm Robert Cochran. And we're going to run a little survey here at the beginning. So, Paul is going to cover the economic state of the nation, but what we'd be really interested in is how you feel about your business, where you work. So, thinking about where you work, how confident do you feel about the business outlook and what this will mean for you or your employer?

So, I'm sending this survey to all just now. We'd love it if you could just complete this. It will help give Paul a benchmark for how we're all feeling and will support him when we look at all the numbers. So, how confident do you feel about your business outlook at what this will mean for you or your employer?

Here we go; "I think our business will shrink in size," we had about 18% saying that. "I think we'll remain about the same size," so 53% put that in as an answer. Great to see. And, "I think we're set to grow in size." So, on the whole, a pretty positive outlook there. So, that's a decent set of results for Paul to look at as we move into his session.

Now, Ali did say I think we'll do questions at the end, but we'll also take questions throughout. So, if you put questions in the little question box, both myself and Alexis will be watching out for them. And if there's appropriate times, then we'll ask Paul those questions as we're going through the session. Failing that, there will be some time at the end for questions to be covered off then.

So, without further ado, I'm going to hand you back to Paul to update us on COVID-19, the economy, and pensions.

Paul Johnson: Okay. Thanks ever so much. And it's quite a broad canvas I'm going to be painting today. I'm going to say something about what the economy looked like before COVID. It's something I've spoken about much too little, actually, over the last few months, but it is worth remembering that time many months ago, it feels, before COVID actually hit. I'll say something about where we are in terms of the economy at the moment, what that's likely to mean for the public finances. Meaning, one thing it's going to mean I think is that tax rises are likely to happen. I'll say something about that. And then, what that might all mean for pensions.

So, with no further ado, let me start with this chart, which until COVID I think was probably the most important chart in economics and, indeed, politics for the last decade. What it's showing is that both productivity and, as a result, average wages really flatlined almost completely from 2008, right the way through to 2019. So, absolutely astonishingly, the first time in literally hundreds of years – literally, hundreds of years – that average earnings haven't risen over a decade and the worst productivity performance over a decade in a similar period.

And the dotted lines at the top are, in a sense, what should have happened, had the economy grown as expected, had the economy grown as it had grown over the last 50 years, or so. You can see that wages would have been something like 20% higher than they actually were. So, that's an indication of the difficulty we were in as we came into the COVID crisis.

This next slide is showing you what happened to median incomes for different groups over that period. So, starting off with the population as a whole, you can see that incomes last year were somewhat higher than they were pretty much 20 years ago, but not very much higher. If you look at this green line – so, those of working age – you can see that the growth was even lower. You've got a growth of maybe 5% over a 20-year period; again, astonishingly low level of growth.

And then you've got this black line, what happened to pensioner incomes, or at least income for those over the age of 60, and you can see two remarkable things there. One is that, actually – particularly, over the 2000s; less so over the last decade – pensioner incomes rose very fast; a combination of higher occupational pensions, higher state pensions, and higher levels of earnings, actually, among people over 60.

Remarkably, they overtook the under-60-year-olds in about 2011 for the first time in history – miles, miles behind people of working age over history. We're not talking about

wealth here; we're talking about incomes. Incomes of the over-60s, in general, and of pensioners, in particular, overtook the incomes of those under the age of 60.

So, all of that...

Robert Cochran: Paul, can I just pick up a question, just around the productivity and wages that have flatlined. So, we can see that earnings kind of flatlined, but prior to that we had this flatlining of productivity. Any reason why that was the case?

Paul Johnson: There's a big question. So, I see one of the questions here is about whether this is just for the U.K. These are U.K. numbers. Most of the world has seen some significant tailing off in productivity and wages over the last decade, but on a less significant, to a less significant degree than we have.

What appears to have – a number of things have happened here. The two are obviously very closely related. Productivity appears to have been hit by a combination of reduced investment by companies, particularly both post 2010 and post 2016; by the long hangover from the Financial Crisis. There may be some measurement issues here, in that productivity may have been overstated, actually, in the U.K., given the scale of our financial sector, but certainly the hit to the financial sector post 2010 has had an impact on that.

And then there's this sort of compositional effect. This is looking at productivity per worker and wages per worker. We've actually got a lot more workers. So, the plus sign of this is that there are a lot more people in work – or at least six months ago there were a lot more people in work – than there had been. And that has helped I think keep wages down and bring people into lower-productivity jobs, as well.

Now, there are a whole series of long-term issues, of course, that drive productivity. In particular, our education system, infrastructure, transport, housing, all of those sorts of things, massive for productivity, though none of them explain that huge slowdown in wages and productivity post 2010.

It is also worth saying, finally, that things were actually – I don't know if you can see that in the – you can't see it very readily in the chart, but you can see wages in 2014-2015, if you look at that yellow line, were picking up. And we might have expected them to pick up quite a lot better than they did, but there was a clear slowdown again after the 2016 referendum. Inflation went up and wages didn't. So, real wages were kept down. Corporate investment collapsed post 2016 as uncertainty increased. So, a whole series of things going on there.

Let me come to the last chart on this kind of pre-COVID section, which is just to remind you of – so, what I've talked about so far is incomes, earnings, productivity, growth of the economy, which was very poor. What you can see here is one illustration of austerity. You can see government spending shooting up as a fraction of national income, largely as national income shot down during the Financial Crisis, with a big gap between revenues and spending. And then you can see that long, long reduction in spending over time as austerity bit and borrowing coming down by 2019, broadly, to pre-Financial Crisis levels. And that's where we went into this new crisis: borrowing down actually a bit below pre-Financial Crisis levels but, of course, debt much higher.

And finally, of course, don't forget about Brexit. That will have a continued and ongoing negative effect on the economy.

So, that's the run-up to where we were in beginning of this year. The economy had been growing slowly for a long period; wages and so on, barely growing; public finances largely repaired after the last crisis.

But we are now entering – we are now in – what I think we can safely describe as the biggest recession or the deepest recession in history, and that's not terribly surprising given that we shut down a large fraction of the economy, as did the rest of the world. So, this chart just shows you one of the International Monetary Fund forecasts of what might happen to major economies over 2020. It's looking at a 10% reduction in the size of the U.K. economy over this year. You can see that's pretty much in line with what they're expecting for most other economies. There's all sorts of forecasts for this. Whether it's 8%, 10%, 12%, or something different, we don't know, but we do know it's something pretty remarkable.

Now, in one sense, it doesn't really matter enormously what happens over this year. That seems like a strange thing to say, but if the economy collapses this year as a result of the pandemic – you'd think that's a one-off effect – and then jumps back to where it otherwise would have been, then actually we could look back on this as a bad dream and then carry on with our lives, as before.

But this chart showing the scenarios or forecasts from the Office for Budget Responsibility over the next several years, you can see that their central forecast – and I think this is what really matters – their central forecast is that the economy will remain much smaller than it would have been in the absence of the pandemic, even five years out. And that's what's going to drive lower incomes, our unemployment, and, as I'm going to come on to in a minute, problems for the public finances.

Why does it have this long-run effect? Well, partly, there are obviously huge risks and uncertainties around this – how long is the virus going to stay, are we going to have second waves, and those kinds of things. But even without that, even if the virus in some sense goes within the next year, 18 months, you have a big scarring effect from this sort of event: unemployment will persist, people will have lost the experience, businesses will have gone bust. And all of that has an ongoing effect on the economy.

So, their central scenario is the economy will be still 4% or 5% smaller than it otherwise would have been by 2025, and it could be significantly worse than that. All of which of course is associated...

Robert Cochran: Hi, Paul. Just a question, where you're looking at that. So, a couple of people asked questions about austerity and how we dealt with that previously. So, austerity had helped keep borrowing under control after the Financial Crisis, but do you feel that it stunted economic activity at that point? And do you think we've learned lessons from that that might be able to help support the situation where we are right now?

Paul Johnson: Well, I think it's pretty clear that the nature of austerity has had an ongoing negative effect on growth; and in particular, the big cuts in capital spending back in 2010-2011, the kind of spending that we know would have supported the economy at the time and would have supported the economy, going forward. I think there's less evidence that, for example, cuts in spending on local government or health or social care or what have you. Did that have a negative effect on economic growth? Probably not. But did the big cuts in capital spending have a negative effect? Yes, they probably did.

And I think that is actually something that government is learning from, because if there's something that's being prioritised over the next few years it clearly is that kind of growth-

friendly capital spending. And I'll come on to say a little bit more about what I think might be the response to the high deficit in a moment.

Lower growth, obviously, means higher unemployment. This is a remarkable chart. Again, these are all forecasts, lots of uncertainty around them. But this is – you're looking here at the central forecast of unemployment tripling over the next few months actually – and I should have put a longer-term chart up here – to levels we haven't seen since the early to mid-1990s, having had this long period of very low and falling unemployment. Particularly, this is going to hit younger people, people entering the workforce at the moment, but actually also younger people in the workforce who are much more likely to be working in retail and hospitality and entertainment, exactly those areas which have been shut down, which are doing particularly badly at the moment.

So, unemployment of course, as ever, is going to be unequally distributed. But this time – very often in the past, unemployment has been hitting particular regions, particular industries – heavy industries and manufacturing and so on. This time, it's going to be a particular part of the service industry probably hardest hit and particular parts of the population actually, those who are low paid and those who are young. And actually, also, those towards the end of their working lives are also somewhat more likely to work in those affected sectors.

So, again I could say a lot more about where we are with the economy. Clearly, we are moving up swiftly at the moment. The question, of course, is how quickly or rather how far we're going to move up. Whatever the impact of that, we're clearly going to have a big hit to the public finances. The economy is this year hugely smaller than it was and over the next few years will continue to be smaller.

So, this chart is just giving you a sense of the scale of that effect on the public finances. This is a slightly complicated chart. But just to summarise what it's saying, it's saying that back in March – remember March? remember the budget before lockdown? – the expectation was borrowing would be about £50 billion this year. The current central scenario is that it will be £350 billion this year. An astonishing change.

And unusually, actually, a large chunk of that is down to policy measures: so, the three red bits towards the right-hand side of this chart showing support for households; the furlough scheme and the self-employment schemes for business, for public services; and then that additional red bit that we got in the summer economic update back in July. Big increases in spending and cuts in tax over this period; that's about half of the increase. And the other half of the increase is we're just getting less in, in the way of taxes, because of the effect on the economy.

Three hundred fifty billion pounds, the biggest borrowing in peacetime, as I'll show you in a minute.

Now, borrowing this year, in one sense, doesn’t matter. Particularly if this is a one-off, we can live with the additional debt and carry on pretty much as usual. But the real issue here is that we're expecting borrowing to be higher into the future. So, this next chart showing you some IFS projections of where borrowing might be over the next few years. And as you can see, we're expecting instead of being about 2% of national income – about £50 billion – towards the end of this Parliament, more like 5% or 6% of national income – well over £100 billion.

And that assumes that none of the additional spending that we have in place at the moment continues. More realistically, we're also going to be spending more. And so,

without additional work from the Chancellor, we're going to be borrowing more into the medium term, as well as in the immediate term.

That means the government's selling vast amounts of gilts; just over the last four months, £225 billion, which is about twice the previous maximum, having no problem at all selling these gilts. It's worth saying, interest rates remain at absolutely rock-bottom levels.

Look back over a long period and you can see, actually, this remarkable – those dots at the end is our view about where borrowing as a fraction of the national income might be this year, literally at its highest level ever outside of the First and Second World Wars. Historically, completely unprecedented levels of borrowing.

Debt is a slightly different matter. You can see that actually over our history we've had public sector debt of well over 100% of national income for quite long periods, as you can see here: 131 over the last 320 years. We've had two periods where that debt has come down a lot. The first was that long period after the Napoleonic Wars, all the way through pretty much the First World War. And actually, the whole of the 19th century, from a fiscal point of view, was really of help bringing down that overhang of debt from the Napoleonic Wars.

But the experience after the Second World War was very different. It came down much faster, and that's essentially to do with very fast economic growth and a fair chunk of inflation and fairly tight budgets over that period. And the question for us, going forward, is have we got a Napoleonic War sort of – have we got a century of worrying about elevated debt? Or are we going to see debt falling very fast as the economy grows very fast over the next few years? I think the worry is that there's not much sign of that very fast growth.

The remarkable thing, though...

Robert Cochran: Paul, there's a couple of questions in about just scale here. So, the scale of money that's being thrown at the COVID crisis this year versus the scale of money that the government threw at the Financial Crisis.

Paul Johnson: Well, in terms of actual additional support for the economy, it's much bigger this time around. The furlough scheme by itself is something like 3% of national income. The big business rates holidays and so on are also very substantial. There was quite a lot thrown at the economy in the Financial Crisis, with temporary VAT cuts and so on.

But the big support through the Financial Crisis, as it were, is that the automatic stabilisers worked. So, most of the increase in the deficit during the Financial Crisis was driven by the fact that the government carried on spending broadly what it was going to spend. Tax revenues stopped coming in because the economy had shrunk. And so, the deficit rose.

And that's why I stressed what I said earlier, that it is quite unusual that this time around half of the increase in the deficit is actually down to specific additional policies by the government. So, the government in a sense have been much more active this time around, in a sense not surprisingly given what it did also actively was shut a large chunk of the economy over the period between April and June. And supporting through the self-employment scheme, the furlough scheme, the business support schemes, and so on was the sort of parallel part of that.

So, just carrying on with this point about the deficit and the debt – and I think it is quite an important issue about to what extent do we worry about this – you can see the debt interest payments, again going all the way back to the 1680s. Debt interest payments, despite this highly elevated level of debt, are actually at historically low levels, which really does suggest that, in some sense, borrowing large amounts at the moment is not problematic. The risk, of course, is that if interest rates start to rise in a way which is not associated with additional growth, then we really do start to hit trouble. But that point about being not associated with economic growth is important. If interest rates rise, accompanying increased economic growth, then that's much less of an issue.

I'll skate very quickly over just some of these issues about where the money has gone. So, nearly £50 billion for public services. That's not including things like the furlough scheme; this is for health and other things. Nearly £50 billion for public services since March. You can see a very large fraction of that for the NHS and then a significant amount for other parts of the public sector, as well, really driving a complete coach and horses through the spending plan set out in the Spending Review a year ago and set out in the government's manifesto back last December.

The most remarkable thing about this, though, is the huge amounts of money going on personal protective equipment in the NHS and test and trace. It's £15 billion there for personal protective equipment in the NHS this year alone. That is a staggering amount, as is the amount going to test and trace.

A lot of new policies in the Summer Economic Statement. The Kickstart Scheme, which actually started this week, supporting young people into work. Apprenticeship schemes. And then you can see there the stamp duty holiday, the reduced VAT for hospitality and accommodation, and a series of other programs, as well. So, again you can see that in answer to the last question, a really active, a really active bit of government response to the scale of this crisis. And as I say, this is on top of the self-employment support schemes and the furlough scheme.

So, what does all that mean for the public finances? Well, as I showed you, the public finances look like we're going to have really quite significant deficit, going forward, even without additional spending. And I expect there to be significant additional spending, going forward, as well. At some point – and I don't mean in this budget – at some point that will likely to mean tax rises. We've seen a lot of kite flying or leaking or something from the Treasury over the last several days suggesting that taxes may have to rise in this budget for next year. Personally, I'd be very surprised if that's what happens. We've still got a very weak economy, a very large amount of uncertainty, and I'm pretty sure that actually the focus in this budget coming up will be in supporting the economy through that period.

But at some point, kind of self-evidently, if the economy is smaller and tax revenues are lower and if spending is higher, which I suspect it will be, at some point we're going to have to do something about that. I think it's unlikely, given a decade of austerity, that we'll end up with additional spending cuts, but I think we will see some tax increases. But I do think this point about timing is really, really important. I don't think it should happen – I don't think it will happen – next year. Arguably, it might not be ideal the year after that, either. You then of course get, as I will show you, into the political cycle.

Now, can we raise taxes? Well, if you look at the U.K. by international standards, we're not a high-tax country. Across the OECD, we're sort of an average-tax country. Across Europe, we're a fairly low-tax country. So, can we raise taxes and remain an

economically effective and efficient country? Yes, we can, because a lot of other countries do it.

One of the slightly difficult aspects of that, though, is if you look at where they raise their taxes, I'm afraid they broadly raise higher taxes on middle earners. They don't raise more taxes from corporates. They don't raise more taxes from high earners. They don't tend to raise more taxes from wealth. How do they manage to raise much more in the way of revenue? In general, it's because they tax middle earners – and particularly, actually, through employer social insurance contributions – much significantly harder and higher than we do.

Now, that's not to say that's the only way of raising taxes, but I think it is actually a terribly important part of understanding how other countries manage to raise significant amounts of tax and something that we need to take account of in debates that we have about how we might fix that fiscal hole. I could talk for hours about options for raising tax. There clearly are numerous options, whether you're looking at corporate tax or capital gains tax, and I'll come on to say something about pensions tax and so on in a minute.

But if the scale of the challenge is what I think it is, which is pretty substantial, which is looking at tens of billions, rather than the odd few billion, of tax, in the end I don't think we'll have much choice other than to look at our three big taxes – income tax, national insurance, and VAT – which between them raise nearly two-thirds of all our revenue. And if we're looking at raising a lot more, I think we're going to have to look, at least to some extent, at those three taxes.

And then this last chart about taxes, I just think I rather enjoy, which is just to show you when taxes rise. And the answer is taxes rise in budgets immediately after elections. We have not had big tax rises in budgets immediately preceding elections in the last 30 or 40 years. And I think that will be playing very strongly in the Chancellor's mind as he thinks about the timing for when to address this fiscal problem. Is he going to go into the next election having raised taxes very substantially in the year or two beforehand? Or does he think he can get away with waiting until just after the next election? And how that will play in to both the economics and the politics I think will be very interesting to see.

So, for the last few minutes I'll just say a few words about where I think this leaves pensions or what this might mean for pensions. Obviously, all of this has all sorts of consequences for pensions. Obviously, if you're thinking about the very, very low interest rates, that's an issue. But equally, I think the government is going to be thinking about pension tax relief to fill that hole.

So, let's start by talking briefly about pension tax relief. I think one of the things that it's worth saying is that if you look over the last decade the second biggest tax rise after the VAT increase back in 2011 has been the restrictions on pension tax relief for high earners. That's been very remunerative for the Chancellor. And other than the outcry from the doctors last year as a result of the combination of complexities created and the generosity of their pension scheme, other than that it's been done with remarkably little in the way of political pain. So, big restrictions have raised something on the order I think of £8 billion to £10 billion a year for the Chancellor.

And I think one of the kind of key elements of this is this has really changed the pattern of tax relief for savings. So, this chart is just one way of illustrating that. The blue line is showing what the pension annual allowance was for most people – this is for moderate earners – over this period between 2006 and 2018 and what the ISA allowance, the red

line, has been over that period. And clearly, for the period before 2011 you could put, if you had the money, vastly more into a pension than you could into an ISA. It's now only twice as much into a pension as to an ISA if you're a moderate earner. Obviously, if you're a highest earner, you can put more into an ISA than into a pension.

And remember, back in 2014-2015, George Osborne was talking about the possibility of changing pension tax relief. So, instead of getting the tax relief up front, you'd get tax relief as you do with an ISA at the end. He moved away from that but when he did that, he announced a further increase in the ISA limits, reduced pension limits further. So, without actually doing what he said he was thinking of doing he got some significant steps down that line.

Now, the advantage of course to governments is that pension tax relief costs money up front; ISA tax relief costs money for your successors many years down the road. I think that that pattern of change, in a sense, is exaggerated by this chart because obviously not many people were putting £200,000 a year into a pension. But it gives you a fairly clear sense of the direction of change and the way that the tax system works.

Will there be further cuts to pension tax relief? Well, there's been talk about restricting the basic rate. If you were to do that, that would raise money worth having: £10 billion a year, possibly more, depending on behavioural response. You can see why a Chancellor might be interested in that. Clearly, it takes more money from higher earners than for lower earners. But it's really only hitting – or it's hitting hardest – those in the sort of £50,000 to £80,000 range, what you might think of as middle England, conservative England, "Daily Telegraph" readers, what have you. So, the politics behind it are quite difficult. It adds another layer of complexity to those very few really in the public sector who are still in defined benefit schemes and further limits the attractiveness of pension saving.

Will it happen? I don't know. It's not – I'd be surprised if it happens, for political reasons. There are clearly other things you could do to pension tax relief and, in particular, to the tax-free lump sum, which might be more palatable and actually more appropriate given the way that pension tax relief works.

So, is the Chancellor going to think about this? He's certainly going to think about it, because there's a lot of money there. Is he going to do it? Well, in the end that will be a political decision much more than it will be an economic one.

So, where now for private pensions, more broadly? Well, as you know, we've moved effectively completely away from defined benefit schemes in the private sector. So, we have a defined contribution, a world of defined contribution pensions for the vast majority of private sector employees. In that context, auto enrolment, as you know, has been enormously successful.

But it does seem to me that one thing that recent events has done is to illustrate actually very clearly some of the concerns with the current model. The stock market has fallen, and that has hit the wealth of all pension savers. Particularly, we might worry about those who are relatively close to retirement. And we're actually putting some new work out next week suggesting that that's had significant effects on the retirement decisions or retirement expectations of older workers.

Interest rates are lower than ever. So, with pension freedoms, annuity rates are at an all-time low. People are not, understandably, taking annuities in vast numbers. Taking an annual income doesn't look attractive. With defined contribution schemes, there's no risk

sharing. In my view, we essentially genuinely do not have private pensions in the U.K. any more. Defined contribution pensions are just another tax-privileged savings pot. Now, whether you define that as a pension or not is up to you, but what you don't have are those things that you usually think of in pensions: they're not providing annual income in retirement; they're not providing any kind of risk sharing. They're providing you with exactly the same thing that an ISA or a bank account is providing you, just with a different form of tax relief.

And if I have one worry about our pension system now, it is that lack of risk sharing either within or between generations that is created by not just the accumulation phase, but also now the decumulation phase. And as I say, I think this crisis has illustrated rather well the risks associated with that.

And finally, let me just say something about the triple lock, which is the other element of pension policy which has come up for consideration at the moment. And I think the current situation illustrates rather well the pitfalls of the triple lock. I don't know what's going to happen to recorded average earnings over the next year or two, but I think there is a chance that they might rise really quite sharply next year, partly because of the unwinding of furloughs – so, we all move from 80% to 100% earnings – and partly, actually, because a lot of job losses really are going to be among low earners. If low earners lose their jobs, then the average earnings of those who remain in work will rise.

At the same time, inflation is likely to remain low. That's certainly the view of the Bank of England and of the OBR. I think there are some upside risks on inflation, I have to say, with the result that we could end up with pensions rising, state pensions rising much faster than prices; and indeed, in any real sense, over a two-year period rising much faster than earnings, as well.

So, it seems to be very clear that triple lock should at least be suspended for the next couple of years. But the crucial point here, though, is that the government can simply decide to suspend the triple lock. Rising in line with average earnings is actually in primary legislation. And probably, it is next year's rise in line with average earnings that might be the problem. So, the problem for the government, as it were, is that they're not – what is not required is a change in policy which can simply be announced at the drop of a hat, which is that triple lock is suspended; that can be done easily. The problem for the government is if they want to stop the state pension rising in line with earnings, they're going to have to put through primary legislation to do that. And that, of course, is likely to be problematic.

So, let me just conclude by saying – just reminding you, as it were – of the key features of what I said. We came into this crisis after a pretty tough economic decade, though an economic decade in which we got the public finances into some kind of order.

This crisis has created the biggest recession, the deepest recession in our entire history, probably going back to the Black Death of 1348, as a guess. That, in a sense, wouldn't matter that much if we thought the economy was going to jump back to where it otherwise would have been. But economies don't really work like that. Even if you hit them with a one-off shock which then goes away, it can take them a long time to recover, and the expectation is that the economy will remain smaller than it otherwise would have been.

And of course, we've got the additional problem of Brexit layered on top of that.

That's going to create problems for the public finances. Now, those are not urgent problems, partly because interest rates are so extremely low, but they are problems that will need to be dealt with eventually. Not this year, not next year, maybe not even the year after, but at some point in the medium run that's likely to mean tax rises of one kind or another, probably tax rises affecting income tax, national insurance, and VAT to some extent.

In that context, it's not surprising that people are talking about what might happen to pension taxation, the triple lock, and so on. There are clearly options for changing pension taxation. One thing I might add to that is that there are also options for increasing the tax on pensions in payment, though I don't expect those to be explored. Pension in payment have been very much protected as pension contributions have become more heavily taxed. The triple lock is in the long run an expensive policy, and the issues associated with it have really come to the fore in the rather odd circumstances we're in at the moment.

So, that's all I'm going to say for now. I'm now very happy to take questions on any of that.

Robert Cochran: Well, Paul, we'll just let you catch your breath there. And before we fire over the questions, what we thought we'd do is just get a view from all those taking part as to what they think about the triple lock. So, just as a reminder, I'm going to send you a survey to see what you think should happen with the triple lock. The triple lock is for state pensions, and it guarantees that it will rise in line with living expenses – so, CPI, the increase in average wages, or 2.5%, whichever of those three is the highest. So, that's what the triple lock is.

So, I'm going to fire you a question just now. In your view, the pension triple lock should be either maintained? Or should it be suspended for five years? Or should it be abolished?.

So, it's a fairly even split. We've got 30% of you saying it should be maintained; we've got 45% saying it should be suspended for five years; and about a quarter of you say it should be abolished. So, that's a fairly even split. And I guess that's part of the challenge they have when they're looking at how you create policy around that which takes everyone with you.

Okay. I don't know what you think of that, Paul. Do you think that reflects the country?

Paul Johnson: Probably. I suspect the country is somewhat split on age lines, and of course the government is highly sensitive to the views of older voters.

Robert Cochran: Yes. Okay. Brilliant. So, let's now go to questions.

Alexis Ward: Okay. So, Paul, the first question I'm going to ask is, how does the U.K.'s projected COVID economic impact and levels of indebtedness compare to other developed countries?

Paul Johnson: It's not so dissimilar. There are other – there are all sorts of international measures. It looks like we've done somewhat worse in terms of numbers of deaths, but actually not by vast amounts relative to some other countries. And a lot of that seems to be associated with two things: we've managed our care homes very badly, but also we've had the

impacts, at least up till now, have been more broadly distributed across the U.K., whereas in some other countries have been more locally affected.

In terms of the economy, you'll see one of my earlier charts showed the expectation is that the British economy will shrink by about an average amount by the standards of other major OECD countries. We might turn out to be a little bit worse, we might turn out to be a little bit better, but it doesn't look dramatically different.

And the scale of government response here again has been not too different from that in some other countries. In some other countries, actually, some of the response was much more automatic because they have welfare systems which automatically replace very large fractions of your income if you become unemployed. Here, we have made universal credit, for example, a little bit more generous. But certainly for those who have lost their jobs, for some of them, the experience here will have been worse than the experience in some other countries.

I think the truth is we won't really – again, I know that there will be – this government has not covered itself in glory in the competence with which it has dealt with things over the last six to nine months, but I do think it will be some time before we know how well, over all, the U.K. has done relative to other countries.

Alexis Ward: Okay. Thank you for that.

Robert Cochran: Paul, one of the areas I guess we didn't really cover today was self-employed. So, we've seen a rise in the number of people who are self-employed, a fairly significant rise, over the last few years. Do you think that this kind of structural change will increase the self-employed make-up within the workforce?

Paul Johnson: Well, I think there are pressures in two directions there. The first thing to say is that, clearly, a lot of people who were self-employed very quickly found that their capacity to work dried up. They got – some of them or a large fraction of them got really very significant help through the Self-Employment Income Support Scheme, which for the majority of the self-employed really was very generous; but for a minority, left them completely uncovered. So, there was a lot of rough justice in that scheme.

It might leave people feeling more risk averse. If you're feeling more risk averse, I think you're less likely to go down the self-employment route. So, it might have that impact, reducing self-employment. On the other hand, we know that a lot of self-employment actually is a response to losing your job. So, a lot of people who become self-employed become self-employed having lost their employment, and it's almost an involuntary kind of self-employment, although the majority then report actually being happier in their self-employment even if it was, as it were, enforced than they were when they were employed.

I think the last thing it's worth saying on this is that, remember, the Chancellor did say when he introduced the Self-Employment Income Support Scheme that he would take the opportunity, as it were, to level up some of the taxes on the self-employed towards the levels of taxes on employees. Part of the reason at least for the increase in levels of self-employment is the much lower levels of taxes that self-employed people pay, particularly once you take into account employer national insurance contributions. This is of course why some tech companies – Uber, for example – much prefer to have their people working for them as self-employed, rather than employees, and one of the reasons that the Office for Budget Responsibility has raised significant budgetary concerns actually about the increase in the numbers of people who are self-employed and incorporated

because of the lower levels of tax that's associated with them. So, it will also depend to some extent on the policy response, I think.

Alexis Ward: Thanks for that, Paul. And one close to, I guess, everybody's heart, what would be the impact of raising state pension age by one year for everyone immediately?

Paul Johnson: Well, we know that the increase in female state pension age over the last decade has significantly increased the number of women aged between 60 and 66 who have stayed on in work. You can see that very clearly in the data, that as you increase pension age, the numbers of people in work increase. And that's not – that might sound obvious, but it is not obvious that people would respond like that.

The second thing that we see, more generally, is that there's been an increase in the number of people actually over state pension age who have stayed in work over the last decade or so. One of the reasons that there's been this increase in incomes for people over 60 and over 65 is that earnings have risen for that group. But of course they're very unequally distributed. A lot of people either don't or can't work.

I think if you were to raise state pension age immediately, with no notice at all, it may be that people have difficulty responding to that and changing their retirement plans very quickly. But it's certainly – and is this the best moment to be doing it, when jobs may be particularly hard to come by and some people may already be feeling discouraged? I don't know, but there seems to be in my mind in the medium run, as the government is planning, there is no question but that we need to keep the state pension age rising.

Alexis Ward: Okay. Thank you.

Robert Cochran: Paul, you mentioned that you could see additional taxes being raised from pension in payment. Do you think that would be special tax rates for retirees? Or do you think those over state pension age would be asked to pay national insurance contributions?

Paul Johnson: Well, I think there's a number of options there. One thing one could certainly consider is having – if you're in employment and over state pension age, of course there's currently no national insurance to pay, and maybe that's an anomaly that could be changed.

The other thing that I have in mind is that if you've got an occupational pension in payment, because most of occupational pension contributions come from employers, they will never have been any national insurance contributions paid on those pensions in payment. So, there is at least a case for an additional tax on occupational pensions in payment. Now, it would be very difficult to do that at anything like the full national insurance rate overnight, but you could do it at a few percent on significant payments. That's not going to raise vast amounts of money for the Treasury, but it might not be a bad way of raising some. It is worth repeating again that in terms of taxes, those over pension age have not seen any increase in their pension taxation, whilst those under pension age have seen very big reductions in the value of pension tax relief.

And finally, as I said in the presentation, I think the case for reducing the value, the generosity of the tax-free lump sum is also fairly significant.

And one much smaller point, the way in which DC pots are treated at death strikes me as being absolutely absurdly generous and should certainly be changed to raise sums. Again that's not going to raise you significant money in the short run, but at least it makes pensions look more like something that they should be used for, rather than as a way of avoiding inheritance tax.

Robert Cochran: Paul, thank you very much. We've had well over 40 questions. So, unfortunately, we couldn't get to all of those questions, and we're almost out of time. So, I'm going to hand back to Ali to close off. But thanks very much, everybody, for submitting your questions. And thanks, Paul, for your answers.

Alison Nicholson: Thank you, Robert. Thank you, Paul. And a thank you to all of you on the line for taking part.

It was actually really good to see at the beginning the positive outlook you have for your own businesses and the future that you see coming through COVID and the pandemic.

Paul, it's great that you shared with us so many statistics. And there was a couple that really stood out for me, and that's the extent that the government has been financially active in support. We all know because we see it and we read in the news about the furlough scheme and the different things that were put in place. But £50 billion on public services, huge amounts on PPE and test and trace, and another £30 billion in the plan for jobs are absolutely staggering figures. So, unsurprising that government borrowing is an all-time high and in the face of such a deep recession.

Depressing, but true, that our economy not in great shape, and you shared some really good statistics with us. The biggest recession in history as you said, and really we are always thinking what next and what might happen. And you've really addressed that for us today, Paul, and shared your thoughts. No one has a crystal ball, but you've really shared thoughts, specifically around pensions, for us, too; tax income; the impact of stock market volatility; the triple lock. All great insight, and thank you very much for doing that on behalf of everyone on the call.

Our next date for the expert series is later this month, and it's all on responsible investing. We would love if you could join us.

As we close this call, a feedback survey will appear on your screen shortly. It's really short, and we would appreciate you taking part to comment on both this call and what you would like to see in the future.

So, thank you for joining us, and enjoy the rest of your day.

Scottish Widows

September 17, 2020

Alison Nicolson:                  Good afternoon, everyone. Thank you for joining us today. For those of you who don't know me, I'm Alison Nicolson, and I'm the Head of Client Relationships here at Scottish Widows.

                                                Today I'm joined by colleagues, Maria Nazarova-Doyle, who you can see here on the slide, Head of Pension Investments, and Tony Clark, who is our Regional Development Manager. We were really lucky to steal Maria from Mercer and I know that we have a few of her ex-Mercer colleagues on this call. So, we thank you. But many of you may also follow Maria on social media. And if you don't already do that, then please do, because you will see a lot of what is going on from her social media.

                                                For those of you that tuned into previous webinars on the evolution of our pension funds or investment markets, you will have heard some teasers about our Responsible Investment approach. And so, we're delighted that Maria, here today, will provide you with some more information on this ever-evolving topic.

                                                Please do use the "Ask a Question" function to submit your questions at any point during the presentation. And Tony, who you can also see here, will keep a lookout for key themes that he can put to Maria towards the end of our session.

                                                This webinar is being recorded, and it will be available for you to share with your colleagues after the event on the same link that you used to access it today.

                                                This forms part of our Experts Series, which is a set of topical webinars, podcasts, podcasts, which see our experts talking of some of the key issues in our industry to help you navigate the changing market. We've been building the content in this series since June; our most recent one, a brilliant session on the economic state of the nation with Paul Johnston, from the IFS. Please have a look at the web page for this in our advisor extranet. If you didn't join it, I think you would enjoy it.

                                                We have another great session coming up next month, with our LBG Security Team providing an overview of cybersecurity, a really hot topic given we've all moved digitally. This will help you and your companies be protected. So, please keep a lookout for the information coming into your inbox or on social media over the next few weeks.

                                                Feedback from our previous webinars has suggested that investments is a really popular topic. And so, I don't want you to have to listen to me. Let's get started. And I'll pass over to Maria. Maria, over to you.

Maria Nazarova-Doyle:     Thank you very much, Alison. Hi. My name is Maria Nazarova-Doyle, and I'm Head of Pension Investments at Scottish Widows. I look after our investment proposition, and I'm also responsible for integrating ESG into everything we do.

                                                I'm delighted to see so many of you joining our Responsible Investment webinar today. The interest in this topic has been growing exponentially, and many pension schemes, asset managers, and providers are on the journey of integrating ESG into their business models and products. And today I will tell you how we approach RI integration at Scottish Widows. Well, I might be biased, of course, but I do feel that our approach is very comprehensive and that we have made significant progress in this area.

                                                But before we go through the presentation, let me run a quick poll with you, as I'm quite interested to know whether I am preaching to the choir today or whether I need to work harder to convert the non-believers. So, Marco, if you could send the poll out, please, it will be really good to see what the audience thinks.

                                                Marco, could you show the results, please?

                                                So, if you're looking at what I'm looking, it's quite a strong support for "ESG factors affecting financial returns," and we do have a fairly small group that said they do not believe so and a slightly larger group who are not sure. So, I'm going to try to work harder today to get us to 100% believing. But if you still have any outstanding questions after this, I'll be more than happy to cover and have additional conversations.

                                                Right. So, let's kick off then with our presentation. At the beginning of this year, we published our Responsible Investment and Stewardship framework to articulate our position and ambition in this area. So, since then we have been working hard to implement these principles in practice. And to set us up, here is how we define "responsible investment." We define it as, "incorporating financial and material ESG factors into the investment process to better manage risk and help identify investment opportunities." Our six principles are: invest responsibly, operate an exclusions policy, reduce portfolio carbon footprint, ensure our fund range is aligned to customer values, integrate these principles across all asset classes, and look for ways to enable direct investments for DC, particularly when we look at green energy and infrastructure.

                                                And our stewardship commitments see us developing into an active owner of our assets, and our stewardship policy lays out a three-pronged approach to this. So, firstly, we'll work very closely with our asset managers to monitor their stewardship and voting activities, both looking back and looking forward, so that we can override their voting plans and direct their votes should the need arise. Secondly, we're engaging directly with our top 20 holdings, and then dialogue with those companies to influence developments that enhance the value of a customers' investments. And thirdly, we engage with other asset owners like us and the industry organisations, like Climate Action 100+, the IIGCC, the PRI, and others to drive positive change at the systemic level.

                                                So, the principles are all well and good. But what does that actually mean we're doing in practice to integrate ESG? Here is our Responsible Investment toolbox. It consists of four main tools that we use to integrate ESG. Stewardship is number one. This one is the extremely important as, when done properly, it helps protect and enhance the value of our investments, as we work with companies we invest in to ensure they've been responsible in their business practices. I will cover up some examples of our stewardship in an action later in the presentation.

                                                So, another tool we have is screening or exclusions. There are certain things that represent unrewarded risk in our portfolio, and this isn't something we can solve with engagement. In these cases, we simply do not want to hold these investments, as we have no way of mitigating these risks. So, we're now finalizing our approach to exclusions, and there will be further announcements on this later this year.

                                                And I should note here that it is very important to decide where to draw the line between stewardship and exclusion. As a large asset owner looking after around £170 billion of investments, we can make a real difference if we keep a seat at the table and engage with our industry companies, rather than just passing the buck further down the chain to individual small investors. So, it's important not to approach exclusions as a blanket tool, and it's quite a blunt tool, as well. But it's also important to manage downside risk for people who trust us with their savings.

                                                So, our preliminary analysis shows that there is a level of exclusions that helps achieve that, and I really look forward to telling you more about it later this year.

                                                So, tool #3 is integration. So, this is where ESG considerations are fully embedded into the investment decision process at security level and normally applies to active management. You might know that our active mandates are managed by Schroders, who have achieved full ESG integration throughout all their investments. So, therefore, our own actively managed funds are now covered for this particular aspect.

                                                And last, but not least, is allocation. This is where specific themes can be pursued to help capitalise on ESG-related opportunities. And a good example would be our recent investment of £2 billion into the BlackRock Climate Transition World Equity Fund that I will also cover off later today in a bit more detail.

                                                There are many ways to position our discussion today. There is a lot I'd like to share. So, I've been thinking about how best to kind of put a framework on the conversation today so I don't just talk about lots of different things. And for the purposes of giving this some structure, I think it would be helpful to use the framework that I outlined on this slide. So, whereas the previous slide covered the approaches to embedding ESG into our investments, specifically, and we addressed the whole spectrum of ESG in our funds, this is how we address ESG at strategic, board level as a pension provider and asset owner.

                                                So, this looks at our stewardship activities and investments into customer offerings and functionality. We define our strategic priorities on a three-year basis, as it is much better to focus on a smaller number of important things and get them done, rather than to chase a wide variety of things and master none of them. So, the rest of this presentation is dedicated to giving you more details around our activities within these three focus areas. So, they are climate and carbon, customer empowerment, and board cognitive diversity.

                                                So, let's start with climate and carbon. Climate risk is very much an investment risk, but also an investment opportunity. The goals of the Paris Agreement that have 195 signature estates is to limit global warming to below two degrees and to make finance flows consistent with a pathway towards lower greenhouse gas emissions and a supportive climate-resilient development. So, UNPRI's work on the inevitable policy response projects highlights significant disruption to the investment industry, driven by changes in underlying valuations of companies due to adverse financial impacts from climate policy.

                                                Now that the U.K. has legislated to be in line with the Paris Agreement, the government will be forced to act on its goals, and the longer a robust policy response is delayed, the more disorderly the implementation will be and the higher the potential costs. We know already that the assets are getting repriced as we speak and oil majors are writing off billions of their balance sheets due to oil reserves they know they will never manage to extract.

                                                As institutional investors, we're acting to support the low-carbon transition through our stewardship by focusing on some of the largest high emitters  that we own and through changes to our investment portfolios to help manage standard asset risk.

                                                So, speaking about investment, we are strengthening our pension default by allocating £2 billion of these equities into the new fund we designed together with BlackRock, called the Climate Transition World Equity Fund. This fund allocates more to those companies who score highly on their low-carbon transition readiness, which includes things like carbon emissions, percentage of clean technology revenues, water and waste management, and tilts away from those who achieve the lowest scores.

                                                We're very excited to introduce this fund, as it is very innovative and achieves some amazing environmental characteristics, alongside making the return stream more sustainable by taking out some of the ESG risks and overweighting companies where we expect ESG-related benefits to come through.

                                                The fund has exclusions for controversial weapons and U.N. Global Compact violators. So, these are companies breaching international labour laws, human rights directives, those involved in child labour, modern slavery, and corruption. So, this helps us to address some of the "S" and the "G" concerns, but the fund is mostly targeting significant improvements on "E" – so, on environmental characteristics – like achieving around 50% of carbon emissions reduction compared to its index, which is MSCI Broad Equities. It also achieves 63% increase in green technology revenues and 10% decrease in water consumption.

                                                So, we expect that this fund is going to deliver very good environmental characteristics, alongside a more robust return stream over time.

                                                The philosophy of the fund is built on five main pillars, within two broad categories: what the company's business actually is, and how well they manage natural resources that they use. I have seen a number of environmental funds – and I'm sure you have, as well – but there are a few things that make this fund stand out. For example, most often low-carbon funds would just run a screen on highest polluters, whereas this fund doesn't just do that; it goes further, into allocating to companies whose business models are in green technology and renewable energy. So, the fund benefits from the successes of the low-carbon transition.

                                                Also, this fund incorporates natural resource management into its scoring, like water and waste management, which is becoming increasingly important, alongside carbon emissions mitigation.

                                                (inaudible) This approach scores companies within the MSCI World Index based on these five parameters, and then excludes those with the lowest scores. So, that results in about 2% of the index being excluded on these scores outright. And what it does then, it allocates almost 90% of the fund to those companies in the top two quartiles of scores.

                                                As I mentioned earlier, we're allocating 10% of the equities in our pension portfolio and retirement portfolio funds to this new fund, and we're already thinking ahead in terms of next steps to tackle ESG and climate change risks in our portfolios.

                                                We address climate and carbon risk not only through investments, but through our stewardship and engagement. A year ago, we began a process of engagement with the largest oil companies in our portfolios, which were BP and Shell. With BP, we were the second largest shareholder in the group that put forward the shareholder resolution to require BP to publish their plans on achieving net zero and Paris Agreement commitments. That resolution received overwhelming support.                 And we continue to engage with BP to ensure the progress on this.

We have recently exchanged letters again when the news broke out over the summer of the write-down of around $17.5 billion of assets from their balance sheet, combined with lowering of their long-term energy price assumptions, while also increasing their assumptions on carbon pricing. So, not very good news, at all.

                                                We received additional information and (inaudible) clarifications we were after  the CEO of BP, Bernard Looney, and have been watching with interest the latest commitments that BP set out in their new business plan, as they've committed to restructuring as a low-carbon company.

                                                We're having similar ongoing engagement with Shell, where last year we have been successful in tying the executive compensation to their achievement of carbon reduction targets, and we're staying close to them as a significant investor as the sector is undergoing a major structural shift from which clear winners and potential losers are already starting to emerge.

                                                That's perhaps enough about "E," and now we can move on to "S" and, specifically, to how we define "social" at a strategic level, which is customer empowerment. We look after pension savings of over six million people, and this is only too well known in the industry: they do not engage much.

                                                However, we have noticed a rise in customer interest and demand when it comes to ESG. We conduct regular U.K.-wide research in this area, and our latest research shows that a lot of people would really like to understand more about ESG, while even if they don't recognise the actual term immediately. But they find it difficult to understand how savings and investors, whether the provider is sustainable and whether their pension fund is sustainable.

                                                So, we have seen a big rise in social and environmental consciousness in the population, but that hasn't yet quite translated into more active pension engagement. And I think we're on the brink of that lightbulb moment where people will make this connection, and we want to help them do it.

                                                We're going to empower customers to give them the right information and a robust selection of investment options to help them align their investments with their beliefs. While this is perhaps not a traditional way to address the "S" of ESG, please remember I'm talking here about our strategy as a business and as a pension provider. We do feel that we have an important role to play here in unlocking pension engagement that also helps people build a future worth retiring into.

                                                We're already implementing ESG as standard into our default offering, but we know customers want to go further and address a range of specific issues that are important to them. So, we will offer them that choice.

                                                We conducted another piece of research to understand what those thematic issues may be that people would want to invest their pension savings into and whether it would make a difference in the engagement. But before I show you the results, I'd like to ask you to take a quick poll, as it would be interesting to compare how the audience today responds versus the U.K. population.

                                                So, let me just click onto the poll question. So, just to position this a little bit, this is what we asked our customers in the recent research piece that we did, to understand whether any of those themes would actually click and people would want to put their money into. So, I would be interested to know if any of those themes actually resonate with the audience today. Marco, if you could please send the poll out, that would be helpful.

                                                Fascinating. I don't know if you can see this, but I'm watching there the different columns kind of go up and down. It's really interesting. We'll just wait a few seconds, and Marco, if you could send the results out, as well, so the audience can see what I'm seeing?

                                                That's very interesting. I'll show you kind of the answers that we got from our poll, but I could tell you that everybody definitely agrees on clean energy. So, there's definitely consistency there. But other than that, there's a little bit of difference. And particularly, I think the biggest difference would be around U.N. Sustainable Development Goals.

                                                So, without further ado, let's have a look at the results of our customer poll and then maybe analyse the comparison a little bit more. Hopefully, you can see the results now in your screens.

                                                We asked similar questions from about 1,400 U.K. DC savers, and the results were somewhat surprising, on one hand; but on the other hand, perhaps quite obvious. Most people tended to pick clean energy, water and waste management as their key priorities. And this relates, of course, to what people already do in their daily lives. So, that makes sense that they would want their investments to be aligned in the same way.

                                                And interestingly, the asset manager, Nordea, conducted a piece of analysis not so long ago, to find that moving your pension savings into an environmental fund could have up to 27 times more positive effect on the environment than any of the individual actions we're taking, like flying less, travelling by train instead of by car, eating less meat, and so on. Oh, and on this subject I was a little surprised that vegan/sustainable food themes scored really quite low in our poll with the U.K. population, but we will keep monitoring developments in this area.

                                                And biodiversity and U.N. Sustainable Development Goals both scored – got the lowest scores. I think there's still some work to do to link that better to the idea of investments. So today, it's probably not surprising that quite a lot of you voted for Sustainable Development Goals, because probably this particular audience already has an interest in ESG and understands what that means and understands the link; whereas, there is work to do to help U.K. population to understand that that is actually investable.

                                                And on diversity, which is quite an important area for us, the stats are not particularly high. But interestingly, for Scottish Widows customers the stats were higher than the average market. And I suppose this is the draw of the Widow. Maybe there is a bit, some selection going on that's more diversity-conscious customers come to Scottish Widows.

                                                So, the important question here, though, is will this make a difference? Offering people more ESG thematic funds looks to be something that will make them more interested in their pension investments. Over half of respondents said that the top three scoring themes, they will make them "more" or at least "a little more" interested. The proof of the pudding will be in monitoring actual customer activity, but I do believe that ESG has the power to unlock pensions engagement, as it makes pension savings suddenly relevant in the here-and-now, as these investments can target causes that people care about and identify with, and it's just relevant today rather than sometime in the future when they retire.

                                                We then specifically asked if people would consider putting their money in thematic funds if they were made available to them. If you think this is only the woke millennials that care about ESG issues, you will be pleasantly surprised. Although the Under-34s did score the highest – 67% of them said yes – we saw high levels of interest across all age groups tested.

                                                There was some difference for males and females who would actively put money in thematic funds, but we think that is part of the trends that we've seen around men tending to make more self-select choices outside of the default, rather than a comment on men being more ESG conscious, in particular. So, over all, the difference wasn't too large anyway; so, 61% of male respondents said that they would move money, against 49% of women.

                                                And as I alluded to earlier, we carried out this poll to understand the areas where we can support our customers better by offering them a fund range aligned to their values. And you will be hearing more from us on how we're delivering this to them towards the end of this year and early next year.

                                                Our ESG research report is also available on our website, or please feel free to reach out to your usual Scottish Widows contact if you would like a copy if that's easier. I'll also be posting them on social media, as you probably wouldn't be surprised to hear. So, you can get them there, as well.

                                                Now we come to talking about the "G" within ESG, which stands for "governance." What I wanted to cover in a little more detail today is the focus of our stewardship activities in the current three-year period. While there are many aspects within "G," we believe that board diversity and, in particular, cognitive diversity is one that can be the most impactful. Without a diverse way of thinking and being able to consider different perspectives around the decision-making table, companies we invest in risk (inaudible)  falling foul of groupthink, which is one of the things that gave us the Global Financial Crisis a decade ago.

                                                So, if we turn our heads to the looming crisis that is climate change, we need better quality decision making at the most senior level if businesses and the economies are to be successful in the low-carbon transition. Diversity is not just a buzzword or a nice-to-have. There have been numerous studies documenting the financial impact of this. This ledger shows a handful of such research results. And what we know on an intuitive level also comes through in research data: more diverse companies perform better.

                                                Diversity isn't just about gender. It's about all aspects that help individuals think differently and enable new ways of looking at the same issues. Cognitive diversity stems from differences in education, age, religion, race, nationality, and other factors that are all very valuable if you want to get a balanced view. We, the business, are strong supporters of diversity. We have been championing diversity throughout the business and in our leadership position for a very long time, and we have committed to meeting the target of 33% female representation and at least one Black, Asian, or minority ethnic board member by 2021.

                                                Recently, you may have heard that the ratings agency, Moody's, found our new Race Action Plan to be credit-positive, and we expect diversity to become increasingly financially material in the coming years. We have a variety of approaches available to us to ensure that the largest companies we invest in are making good progress in this area. We will write to them, hold meetings with them. And where progress isn't achieved, we can use our voting powers to help move the dial.

                                                So, stay tuned for more updates in this area as we put our new stewardship policy into practice.

                                                So, that was a bit of a whistle-stop tour in our approach to ESG, but I hope it gave you a better understanding of what we have already put in place and also helped signpost some of the developments that are underway.

                                                I'd like to leave you with highlights in the next step on our ESG journey that we hope to start putting into practice later this year, which is our exclusions policy. We're at the latest stages of finalizing this and look forward to be able to communicate this to the market as we come to implement it later this year.

                                                As I mentioned earlier today, we're very conscious of the progress we can make as a large asset owner by engagement; particularly, if we work with others, too. So, we won't be looking to suddenly disinvest from everything that looks a little off, nor would we look to disinvest on moral or ethical grounds. We'll work hard to protect our customers' lifelong savings from unrewarded risks, and this new policy will help us become even better investors on their behalf.

                                                Thank you very much for listening. I am very happy to take your questions now, as I'd much rather be answering the questions that you have than to just kind of preaching to you on my pre-prepared remarks.

                                                So, Tony, over to you.

Tony Clark:                          Thank you, Maria. And thanks for that insight on where we currently are and what some of our initial next steps are on this wide and reaching subject.

                                                There's a few questions that have come through. I'm just trying to sort of define them into some themes. One particular one, I'm actually going to – I'm going to let you take a glug of water, Maria, and aim this one, actually, to Ali, who obviously introduced the call earlier on, around that difference between men and women and how they approach this whole ESG subject. What do we think drives the difference in the way that they think about this subject, Ali?

Alison Nicolson:                  Tony, I think that's a really interesting question, and I think many of the people here listening on this call will have views on this, as well. From research that we do in this area, we can see that more women than men are actually worried about some of the things that Maria has just talked about. So, for example, climate change, many more women worry about that on a day-to-day basis than men; yet, the question that Maria shared with us told us that actually less women than men are likely to invest in ESG-friendly funds if it was made available.

                                                And we have to ask yourself, why is that and what can we do about that as a provider and what can you do about that as advisors on the call. And if we look wider at some of the things that we get underneath when we do research with women, we know that more women than men don't actually understand their savings, they don't know what they've got for their long-term savings. And more women than men feel they're not adequately prepared for the future. So, these types of stats tell us that actually there's probably a knowledge gap and potentially a confidence issue.

                                                So, we've tried to take that quite seriously, to help support – and I'm sure many of you in the call will take that quite seriously to support. Because if we have women who have a passion in this field, but not necessarily going to follow it through in their investment principles, then there's a lot of education that we'll have to do to support.

Tony Clark:                          Excellent. Thank you, Ali. That's good to hear, and it's good to see that we kind of take the way differing groups and populations – and this isn't just about gender. I know the way that Scottish Widows and Lloyds Banking Group work on these things, we take much more wider thinking into our approaches about the way that different groups around the U.K. approach these particular subjects. So, thank you for that.

                                                Maria, I hope you've had time to have a bit of – to whet your whistle, so to speak, and have a drink after talking us through there. A couple of questions that have come up then. So, one of the ones that's come up, one of the themes, is around the fact that clients historically have already held environmental and ethical views and beliefs that's made them approach their investments by using environmental and ethical funds. Are we going to focus first on those, where clients are already consciously making those kind of choices?

Maria Nazarova-Doyle:     It's a good question. Thank you very much. We're trying to address quite a few things at the same time. So, as we're trying to understand what other things we're missing in the fund range that people might want to invest in, we're also looking at what we already have and how we can improve this. So, we're currently reviewing the mandates for our ethical environmental funds just to make sure that they still address customer needs and what we believe is the market best practice or leading approach to ethical environmental investments. So, we're doing both, in tandem, so that the fund range that we do offer actually doesn't have any gaps and things that we do have in the range are exactly spot-on.

                                                So, thank you for that question. You should be able to see progress on customer range of funds very soon.

Tony Clark:                          Thank you, Maria. Leading on from that almost around workplace pensions, where obviously there's a lot of employees who have Scottish Widows as their provider of workplace pensions, where do you see BlackRock Climate Transition Fund and the wider thinking that we have here, where do you see that sitting within the workplace environment?

Maria Nazarova-Doyle:     So, we're already integrating this fund into our default, which is our largest workplace product and with the majority of customers in it, but we're also looking to add this fund as a self-select option to the fund range, as we discussed earlier that we're looking to add different funds.

                                                So, you might recall from the customer poll that the top three themes that people cared about are climate, kind of clean energy, climate, water management and waste management, which incidentally happened to be the top three themes that that BlackRock fund actually addresses. So, originally our thinking was to just have this in the default. But then, seeing the results of customer polls we thought that it makes really good sense to offer it as a stand-alone option, as well. So, those people who care about those issues could invest directly up to 100% of their savings, should they want to.

Tony Clark:                          Thanks, Maria. And one other question that's just come through, actually, which is almost linked to this side of things, as well, is whether or not there's any work that we've got planned to support the ESG message through the schemes so, actually, end customers and employees actually start to get this messaging through to themselves, as well. Any thoughts or plans on that side of things, at all?

Maria Nazarova-Doyle:     Yes, absolutely. So, I'd say we're starting from strategic level to make sure we put the frameworks and the foundations in place for us doing all the right things fully and the way we intend in terms of integrated ESG. And as a next step, we're looking then to engage with customers once we have this fund range that we think answers their exact needs and also our customer empowerment broken into two. So, one is giving them the good fund options and choices that they want, but the second one is to give them the tools to make better decisions and being able to incorporate ESG into those decisions.

                                                So, what we're doing is we're also working on developing new tools for customers that are ESG tools that should be able to get them a lot better visibility of how the investments are aligned with things that they care about, whether it is global warming or diversity or anything else that they care about.

                                                So, those two together we think of having a really robust, wide thematic range for sustainability themes and also giving customers the tools, combined together, will really empower customers, and we're doing both together. So, obviously, it's a process. So, it does take time to put things in place. We're now at the kind of proof of concept stage for this. But if that proves to be successful, we will continue on with implementation. And again, you should be seeing the results of that next year.

Tony Clark:                          That's fantastic. And I guess we would continuously welcome feedback on that kind of content, that kind of education piece, that knowledge piece, etc., and any support we can give on that front we would always consider to see what we can do, as we take our responsibility on this so strongly, don't we?

                                                I guess you'll get a number of questions, Maria, around our definitions and how we defined the elements of our strategy and our exclusions policies and what we include, what we exclude. And that will be up for debate in terms of folks who maybe are trying to look for black-and-white answers to some of these questions. But I guess just as an example, one of the questions we've had in is around BlackRock's fund deemed to be low-carbon, yet it includes companies with up to 5% revenues from thermal coal and tar sands. A very specific question, but how do we shape our thinking on that? How do we consider that fund to be low-carbon, given those numbers?

Maria Nazarova-Doyle:     So, the fund is not just fossil fuel-free funds, to begin with. It is a low-carbon fund because it actually achieves more than 50% carbon reduction compared to its index. It outright excludes companies that have over 5% revenue from thermal coal and tar sands, which actually is a very, very low threshold. And what that means is that the companies who potentially have some operations that give them a small amount of revenue, they normally will be phasing them out and they would have put plans in place and agreements in place to phase them out, like Drax recently did, for example. So, it's a process of companies moving out from those areas.

                                                So, what BlackRock's fund does, it cuts off anybody who has more than 5%. And then those who have below 5%, it then does the scoring over them. And it may be that that scoring means that actually they're still not in the fund, because there are also then rules about 2% of the MSCI universe of being in that fund. So, it might not even be there, specifically. So, we can look at it on a company-by-company basis.

                                                But the point is that whatever is left in the investable universe after that exclusion is being scored, and only companies that actually have very clear targets and goals and commitments of exiting those areas, they will be included in the fund. So, yes, for us, it's very much a low-carbon fund that gives a really good carbon benefit to the portfolio.

Tony Clark:                          Thank you, Maria. And I wonder within that then if that answers one of the other questions that we've had, does that start to balance out something you've mentioned already. So, you mentioned that ESG has got both an investment risk and an investment opportunity. And we've been asked how we manage to minimise the risks associated with ESG investments. Some of the answer may have been in what you just said there, but I wonder if you had any wider thoughts on that, at all?

Maria Nazarova-Doyle:     I think kind of a straightforward tool to manage ESG risk is exclusions, but as I've said before you don't want to exclude too much. You want to exclude some of the unrewarded risks that you can't manage with stewardship. But beyond that, also stewardship is a really good risk mitigation tool.

                                                What helps – specifically, around carbon – is embedding that thinking into your asset allocation process, and that's what we're doing at the moment. So, we're kind of on this journey. So, we already take into account carbon footprinting of investments when we do asset allocation analysis for our portfolios.

                                                But I want to go even further and properly embed it into scenario analysis and kind of in line with TCFD recommendations, as well. And we're working with some data providers and tool providers to help us develop something completely new that will help us embed that into our asset allocation.

                                                And one thing I probably should mention on this, as well, is the work that we've recently done with the IIGCC, which is the Institutional Investors Group on Climate Change. So, what they have done – and we supported them and were a part of the working group for this project – is design a framework, a Paris-aligned investor framework, which is amazingly important for the industry because it outlines what does it actually mean to be Paris-aligned in your investments. Because everybody talks about it, talks about net zero, talks about aligning portfolios to Paris, but nobody actually has yet said what that really means.

                                                And those people who maybe have made commitments, like it would be really interesting to see what they even mean by that, because there isn't a standard definition or understanding of what that means in practice. Whereas, this framework was put together by practitioners, for practitioners, representing some of the leading environmentally friendly and conscious investors in the world, essentially, to put together that framework that actually could be implemented for portfolios to then be able to say we are aligned with Paris Agreement.

                                                So, we supported that work and which was hugely exciting. And that framework is now out for consultations with the market. And once the feedback is received by the end of September, we'll see if that needs to be refined. And then, obviously, the next plan is then to start implementing that framework in portfolios. And hopefully we'll get some consistency in the market and we'll be able to actually call out if people are saying, "We are Paris-aligned and we are net zero aligned," if they use that framework that we should be able to all have some kind of belief that they are actually doing this properly.

Tony Clark:                          Thank you, Maria. And again I've got one last question which I'm going to ask. And I wonder if it is linked to the answer you just gave earlier, as well. It's a question that's just come through, which is it seems very much aligned to that kind of risk and the approach that we take. The question I've got here is around the extent to which our assessments here are backwards-looking, (i.e., it's kind of evidenced content that allows us to drive our decisions) versus a forwards-looking basis. So, the targets that countries around the world – the U.K. – have, et cetera, around these particular subjects, how do we balance that evidence piece looking backwards versus the target piece looking forward in terms of the decisions that we make?

Maria Nazarova-Doyle:     I'm trying to understand what that actually means. Okay. So, I think I get it. I think I get what you're asking. And if not, please get in touch with me separately.

                                                When we look back at ESG-related data and we look at kind of experienced financial performance, for a number of years we couldn't really see ESG factors coming through as performance-positive. But over the last few years that really has changed. And particularly, Morningstar has found that ESG funds, a majority of ESG funds, tended to outperform more traditional investments over one-, three-, five-, and 10-years periods from this year. So, that kind of paradigm is really shifting.

                                                I think it's a lot to do with investor expectations and investor behaviour as large institutional investors are moving their money towards kind of ESG-friendly strategies and better, more responsibly managed companies. So, there's a bit of a self-fulfilling prophecy in it.

                                                But also there's, like, lots of other factors, because customers are also voting with their dollars and pounds in terms of where they shop and which brands to buy from. The company profitability is actually changing, too. So, that ESG thinking is more and more embedded in our daily lives; hence, it has more impacts on company profitability, as well. Plus, investor behaviour is starting to move the dial, too.

                                                So, you can look at things like oil. Which has just not fared well in any almost of the periods you look since the Global Financial Crisis. It's, like, the last-performing, bottom-performing sector if you look at energy sector versus, say, technology, for example.

                                                So, ESG is here to stay. And if you look forward, it's only going to come through more and more. And whereas several years ago it was hard to see it in the data, it's now very much in the data, past-looking and forward-looking, as well.

Tony Clark:                          Thank you, Maria. And I did say that might be the last question. But actually, I've got one more for Ali. So, there's been quite a few questions around the fund make-up and the risk and that kind of very valid content, which is totally understandable. But one question that's been raised is around that diversity message, where we were talking about men versus women and their attitudes earlier on, Ali, and how we focus on race and gender a lot. One question has been raised about how Scottish Widows also are looking at things like social disadvantages, skills diversity, et cetera, when it comes to this subject, as well.

Alison Nicolson:                  That's a super question, because we do tend to default to some of these race and gender because the stats are actually just so powerful. But these are equally as big societal issues that we've got.

                                                There's a few things probably to share. I think that this is a topic in its own right. And if it is something that's of interest, we'd be very happy to create a webinar around it. We have what we call vulnerable customer program, and it's something that we're pretty passionate about right across the bank and it’s making sure that where people are disadvantaged for many different reasons – it can be social disadvantage, it can be educational disadvantage, it could be disability – that when we are designing new propositions and thinking about our literature and updating it – because some of it is still in old technical speak – we have a program of updating all of this, and we test that with vulnerable groups. And sometimes they can actually engage with us in a way that means that we're picking up exactly what we need. So, in some cases, it's a representative for the organisations that lobby for them. But there's some really interesting findings in that program that we're building through, and we'd be very happy to share.

                                                In terms of education, we have a program running at the moment and Scottish Widows sponsors called Helping Children Prosper. And this is a series of Zoom and webinars that engages kids. And we are doing it through some employers. So, if it's of interest to you on the call, then please do let us know.

                                                And what we're trying to do here is get to grassroots level in upskilling children on the basic financials. So, irrespective of social background, irrespective of education, there are some really basic needs or educational things that we want them to understand. And we built this on top of the program that the bank runs, where they go into schools and provide education at primary school levels. So, start to get people much more financially aware.

                                                And the final thing probably to bring out on that question is that we have charitable foundations in England, Wales, over in Ireland, and also in Scotland. And the key focus for them is disadvantaged groups. So, as well as supporting customers we invest directly into charities who are helping to support disadvantaged groups across some of these other social issues that the question is focusing on.

                                                So, there's a number of different themes in there, and if it's something that you'd like to know more about, then I personally would be very happy to speak to you or, indeed, we could set up a webinar around it.

Tony Clark:                          That's fantastic, Ali, and that's a comprehensive answer, as they all have been. Thank you so very much.

                                                A huge thank you to both Ali and Maria for joining us today and answering those questions and showing where Scottish Widows are in their journey around ESG and what the future looks like, as well. So, thank you, both.

                                                It's clear from the questions that have come through and the sheer number of them and the variation that this subject is one that many people are passionate about and for very, very differing reasons, whether that be from an investment perspective, an advice perspective, or a humane kind of desire to do the best for the planet perspective. It's just great to see such content. So, thank you all who've raised questions. We will come back to you after this call.

                                                And again, you'll have heard from both Maria and Allie that we are open to further dialogue. If you want to contact us directly, then feel free to do so, whether that be through the usual forums of the likes of LinkedIn and Twitter or through local Scottish Widows contacts. As you see fit, then please do so.

                                                So, thank you once more, Maria and Ali. And I wish you all the very best. Have a great day.

Alison Nicolson:                  Thank you, everyone.

Maria Nazarova-Doyle:     Thank you.