Pension schemes are increasingly reliant upon online services, which increases their risk of cyber attack and the associated financial and reputational fallout.
Trustees and scheme managers are required by law to operate adequate internal controls, which increasingly includes the ability to withstand cyber security risks. Schemes should therefore place as much emphasis on cyber risk as they do any other business risk.
The regulator’s guidance
The Pensions Regulator’s guidance on cyber security sets out good practice processes to help trustees and scheme managers tackle this issue. In broad terms, it suggests that cyber security risks are considered in terms of the risk assessment cycle: understand and assess the risks; put controls in place; and then monitor and report on these controls regularly.
It also gives more detailed guidance on the key areas of governance, controls and incident response, stressing the importance of:
setting clear roles and responsibilities in relation to cyber governance
providing sufficient training to ensure knowledge and understanding is up to date in respect of the value and likelihood of risks and the different types of cyber risk
adopting sufficient and proportionate internal controls processes and documenting them in a risk register with regular reviews
ensuring the IT infrastructure is sufficient, with policies and processes to support the use of IT equipment and staff adequately trained in order to minimise cyber risks
agreeing an incident response plan setting out the roles and responsibilities and step-by-step actions to be followed
regular review of processes and controls to recognise the evolving nature of cyber security risks.
However, some of these steps are easier said than done, especially when agreeing details such as who will lead on any incident response plan between the various organisations involved in the pension. This plan needs to cover all the relevant stakeholders in the scheme and potentially coordinate between multiple firms and individuals.
In a number of recent cyber security reviews undertaken on behalf of pensions schemes, we have seen several common areas of weakness. These include lack of basic protection on independent trustee laptops, and email accounts and data rooms that rely only on usernames and passwords for exchanging data where joint accounts are used with passwords that have not been changed in several years.
Addressing these areas and ensuring adequate security measures are in place is paramount to mitigate any potential threat.
Ensuring your pension scheme is cyber risk resilient
It is important that trustees and scheme managers understand how cyber crime can impact pension funds and what actions can be taken to prevent it. Taking a holistic approach, where all parts of the fund’s management are interconnected and the group is continuously working together, will help to protect the entire scheme.
Cyber attacks can range from straightforward data theft (requiring reporting to the Information Commissioner's Office (ICO) within 72 hours and notification of all individuals whose data has been affected) through to more sophisticated frauds. A recent case in the US saw a hacker gain access to a pensions administrator and siphon £15,000 per month in payments to fictitious pensioners in the Orange County Employee Retirement System.
However, cyber security doesn’t need to be overly complicated or vastly expensive. To provide assurance and risk reduction to trustees, managers and members there are a range of solutions available. While there are no options that will completely eliminate the risk, pension funds must employ a pragmatic, balanced and focused approach to cyber security. Not only will this help them respond effectively to the constantly evolving threats, mitigating the risk from increasing levels of cyber crime, it will also go a long way to meeting data protection obligations.
Implementing good cyber hygiene
Industry experts estimate that over 80% of known cyber incidents can be prevented through good cyber hygiene and doing the basics well.
Working in conjunction with our cyber consulting specialists, our pensions audit team can help you understand, address and manage your cyber security risks.
Pension Protection Fund: 2020/21 levy consultation
Take control of your organisation’s cyber security