With European Cybersecurity Month drawing to a close, and The Pensions Regulator (TPR) sharpening its focus on cyber risk as part of its new single code of practice, now is the perfect time for pension scheme trustees to consider this area of significant and growing risk to your scheme.

Following the introduction of the General Data Protection Regulation (GDPR), many pension schemes are complying with their legal obligations, but the threat of cyber attacks continues to grow. Indeed, 2020 was the busiest year on record for cyber attacks against UK business, with hackers taking advantage of factors like the pandemic and remote working.

GDPR projects were all about compliance, but the challenge now is about risk management. Cyber security is not a 'techy' risk that can simply be eliminated with firewalls and anti-virus software. It is a risk that requires robust governance procedures – assessing, analysing and mitigating the threat to your scheme's IT systems and those of your third party service providers.

The pandemic, the evolution of financial technology and the looming introduction of pensions dashboards mean schemes are under pressure to provide more and more information digitally. This trend, coupled with the renewed emphasis from TPR as part of the new single code of practice, means cyber security should be a key focus for pension scheme trustees.

To help better understand and minimise potential threats, our pensions and cyber security experts have prepared a summary of the major issues. Here we set out some of the themes trustees should bear in mind and look at ways to approach cyber risk, based on guidance from TPR and our own experience of supporting trustees facing these threats in real life.

What is cyber risk?

Cyber risk is the risk of loss, disruption or damage caused by a failure or interruption of a scheme's IT systems. It is easy to get lost in the sometimes mind-boggling terminology surrounding cyber security but the key point for trustees to understand is that it is wider than just protecting the personal data of members (which was the focus of GDPR). Cyber risk threatens every part of a pension scheme's operation; from paying monthly pensions all the way up to loss of the scheme's assets.

The first step to tackling the threat is understanding where the risks lie for your scheme. These depend on a wide range of factors but the questions trustees should ask themselves fall into two categories:

Internal

Is cyber risk regularly monitored through the risk register or an 'own risk assessment'?

What is the level of trustee knowledge and understanding? This is likely to vary and we can support you with tailored training sessions; designed to suit your needs, whether you are at the start of your thinking on cyber risk, or have been analysing cyber risk for several years.

Do the trustees have clearly defined roles and responsibilities in relation to cyber security? Is there a policy on system controls (e.g. anti-virus software) and physical controls (e.g. not sharing printers and changing passwords) that all trustees comply with?

External

Do the trustees have a 'cyber risk map' setting out your scheme's connections to anyone who:

• holds personal data about the scheme's members (e.g. sponsoring employers, third party administrators, or online platform operators); or
• holds information about the assets or investments of the scheme (e.g. fund managers, custodians or AVC providers)?

Has an assessment been carried out on the potential vulnerabilities of those third parties and what a cyber attack on any one of them would mean for the trustees and the scheme? How is this addressed in your contracts with those third parties?

Analyse the risk

The next step is to analyse any risks that you have identified. We can help with assessing the legal risk and updating or putting in place governance structures, working alongside your internal or external technical support (as applicable).

TPR's new single code of practice makes clear that trustees should consider to what extent technical support is available in this area. In our view, that does not necessarily mean external IT consultants and additional costs. Instead, you may be able to call on technical experts already employed by your scheme's sponsoring employer (although the terms under which this support is provided will need to be considered). The interests of trustees, sponsoring employers and members are ultimately aligned here – protecting the scheme from cyber-attack should be a priority for all.

Mitigate the risk

Cyber attacks are increasingly common and, though the risk can never be fully eliminated, there are practical steps trustees can take to protect the business and the scheme, such as:

• ensuring data is backed up and devices used for home working are secure;
• ensuring that secure email domains (rather than personal email accounts) are used for trustee business;
• maintaining policies for data protection, complying with them and regularly reviewing;
• putting in place reporting structures with third party providers to flag cyber incidents and risks; and
• maintaining a breach log and review any incidents to identify themes and recurring issues.

Alongside the practical steps you can take, we can provide support with legal options to better protect the trustee in the event of a cyber attack. These include renegotiation of contractual protections and advice on obtaining cyber insurance to protect the trustees and the scheme if the worst should happen.

Share Story: