Industry research has shown the “mixed state” of cyber security amongst UK pension schemes, revealing that whilst 57 per cent of schemes have a cyber strategy, over 40 per cent do not.

The survey from Aon, Cyber Threats to Corporate Pension Schemes, found that 75 per cent of trustees have had training on cyber risks, but that fewer than one in five schemes have clearly documented cyber hygiene policies.

Trustee portals were also found to be the most common way of sharing information (70 per cent) and data (86 per cent), despite the majority of schemes confirming that they undertake no checks on the security of these portals, instead relying on providers to do this.

However, whilst the assessment of cyber controls at administrators was “extensive”, with almost 90 per cent of schemes conducting checks, the “majority” do not use specialist expertise to assess the checks of providers, while less than 50 per cent assessed any providers other than their administrator.

In addition to this, 95 per cent of schemes stated that they had a data breach policy, yet over a third (36.7 per cent) still admitted to sending investment instructions in unencrypted emails.

Furthermore, despite guidance from The Pensions Regulator on response plans, only 40 per cent stated that they had a robust incident response in place, with 60 per cent of schemes believing that they can rely on the sponsor’s cyber security resources in the event of an incident.

However, Aon warned that there are concerns over the reliability of such support, with further questioning revealing that only 30 per cent of schemes had received input from the sponsor for their incident plan.

Nearly two-thirds (63.3 per cent) of schemes also stated that they have not assessed the potential financial impact of a cyber-attack, with just 2 per cent of schemes taking out a cyber insurance policy, with 20 per cent relying on their employers policy, and over 45 per cent relying on their trustee indemnity policy.

Commenting on the findings, Aon partner, Paul McGlone, stated: “We launched the Aon Pension Cyber Scorecard as a tool for UK trust-based pension schemes to assess their cyber resilience across a range of areas, and as a means of comparison with other schemes.

“More than 100 UK schemes have now used the scorecard, so we have a detailed view of the state of preparedness across the industry – and it is a mixed picture.

“We can see that some schemes have strong governance across all areas, while others are only starting their cyber journey. However, the scorecard also provides a road map for how a scheme can take its cyber controls from novice to proficient in relatively short order.”

In addition to this, McGlone noted that the responses in the assessment did vary “somewhat” by size, with larger schemes performing better on average.

“However, we concluded that size was not the key determining factor of cyber resilience,” he clarified. “Rather, it is what the market calls ‘cyber maturity’, with trustee awareness of the issue being a key factor in driving action and maintaining watchfulness.

“Schemes that have identified and understood the issues and then taken steps to address them, come out of the scorecard assessment well. Schemes that have not yet engaged with the issues, do not. On the plus side, we believe that many improvements can be made swiftly.”

Aon principal consultant, Vanessa Jaeger, added: “In many respects, it’s encouraging that the position across the industry is changing quickly.

“The very nature of cyber risk means that it is an evolving area in which even the biggest, best resourced, best prepared schemes can’t think ‘job done’ and relax. This is an area that requires periodic assessment to stay on top of the latest challenges.”

Share Story: