Less than a quarter (22 per cent) of pension schemes have a risk register documenting cyber risks in place, according to a survey conducted at the PLSA Annual Conference 2022.
Aon associate partner, Vanessa Jaeger, said she was surprised that the proportion of schemes with a cyber risk register was so low.
“Risk register is a little bit surprising, that is quite low,” she stated. “I think most schemes should have that and the auditors are requesting that these days.”
The poll also found that just over a fifth (21 per cent) of respondents had a cyber security policy in place with their scheme.
Nearly one in five (19 per cent) had a programme for reviewing third party lenders in their scheme, while the same percentage had an incident response plan in place.
“The incidence response plan, that’s something quite a lot of you need to pay attention to if you haven’t done already because it’s something that is going to be part of the single code when that comes in,” Jaeger said.
Just over one in 10 (11 per cent) had cyber guidance for trustees/trustee hygiene policy in place, while 9 per cent had mapping of the security controls for the movement of data and assets.
Although none of the polling options had more than a quarter of the audience having them in place, none of the respondents had none of the anti-cyber attack measures in place.
“When we’re thinking about challenges, the first challenge we tend to see is schemes don’t know where to start,” Jaeger said.
“You know we need to do something about cyber risk. It might be that you don’t understand what the risk means, or it might be that you don’t understand what you need to do to manage that risk.
“The second challenge we are seeing is around not understanding what the overall framework is and what actions you need to take.
“The third challenge is we are seeing is a number of schemes have gone quite a long way through this, they’ve completed all the tasks to start with, but then they’re working out how do we turn this into business-as-usual activity.
“I think it’s important to recognise that looking at cyber risk is not a one-off project.”
Recent Stories