Scope and Summary
This note provides a practical summary of some key aspects relating to cyber security in connection with pension schemes as at June 2021.
Takeaway points include:
- cyber security is relevant for trustees as they are ultimately responsible for ensuring appropriate measures are in place to manage the retention and transmission of the scheme's data securely; and
- there are practical steps that trustees should be taking to build their scheme's cyber resilience.
Why is this important?
Cyber-crime now accounts for over half of all crime in the UK. The majority of pension schemes are not adequately prepared for the risks.
Pension schemes are attractive targets to cybercriminals because of:
- the `rich' personal data they ultimately control; and
- the importance of continuing to pay pensions uninterrupted making them potentially vulnerable to ransomware attacks.
Since the introduction of GDPR, over 158 breaches have been reported to the Information Commissioner's Office relating to the pensions sector and at least 43 of these were categorised as relating to cybercrime.
Relevance for Trustees
- ultimately responsible for ensuring appropriate measures are in place to manage the retention and transmission of data securely;
- required to actively protect members and assets against cyber risk (which means putting in place pre-emptive measures);
- accountable for the security of scheme information and assets even when delegating or outsourcing the day-today functions of the scheme; and
- unable to outsource their responsibility for cyber risk.
It is not possible to be 100% cyber secure because the problem is continuously changing. Instead, pension scheme trustees and managers should focus on building cyber resilience within their schemes through pre-emptive and reactive action. This could include:
- carrying out a risk assessment to assess current security levels. This will identify the information assets that could be affected by a cyber-attack along with any risks that could affect those assets;
- preparing an incident response plan to ensure there is a clear, step-by-step plan to follow in the event of an incident;
- making sure a risk register is taken to mitigate such risks and to ensure ongoing monitoring of those risks; the auditing of contracts with key third parties. These contracts should set out the standards that must be met
- in relation to cyber security and also what happens in the event of an incident;
- ongoing training for trustees so that they understand their responsibilities as well as the key risks and what is in place to mitigate those risks; and
- checking insurance cover for cyber security breaches. Policies vary greatly between different insurers so this should be borne in mind.
Points to consider
TPR has said that the controls put in place to protect against cyber risk can and should be proportionate to the profile of a given scheme. PRAG's cybercrime guidance suggests three points to consider:
how attractive is the pension organisation to cybercriminals? The general answer will be `fairly attractive' given the nature of pension schemes;
what damage would be caused by a cyber breach? Factors to consider here are the strength of public profile and expected financial damage; and
to what extent is the scheme cyber resilient? Trustees should consider if the scheme's data has been mapped out, whether hacking testing has been done to test the strength of the systems, whether the scheme's third party providers back up data in a safe and secure manner and whether crisis management arrangements are in place.
Cybercrime is not a static risk like other risks. It will continue to grow and evolve and pension schemes need to understand their vulnerabilities if they are to effectively address them.
Cybercrime is a very real issue for pension schemes. It is one that must be prepared for and that means taking appropriate and proportionate steps to make the scheme more secure. The responsibility for doing so falls to the scheme's trustees. Security for the scheme should be regularly monitored and plans should be in place to mitigate against any damage in the unfortunate event of a cyber-attack.