The Pensions Regulator has published its cyber security guidance to help trustees ensure that members and assets are protected against cyber risk.
The guidance outlines three key areas that need to be addressed: governance, controls and incident response.
In summary, it sets out steps that trustees should take in order to build cyber resilience, including:
1. Clearly define, document and understand roles and responsibilities
2. Ensure sufficient understanding of the cyber risk in their scheme, including by developing an awareness of the scheme’s “cyber footprint” (i.e. the extent of the digital presence of all parties involved in the scheme)
3. Receive regular training and have access to the required skills and expertise
4. Ensure sufficient controls are in place to minimise the risk of cyber incident around systems, processes and people
5. Include cyber risk on the scheme’s risk register and review regularly
6. Assure themselves that all third party suppliers have sufficient controls in place
7. Have an incident response plan in place
8. Be clear on how and when incidents would be reported to the trustees and others, including regulators
9. Regularly test and review controls, processes and incident response plan and be regularly updated on cyber risks, incidents and controls
The guidance comes at a time when trustees will already be prioritising cyber security and data protection issues in preparing for the General Data Protection Regulation.