Pension scheme trustees should assess their ‘personal cyber hygiene’ to mitigate the risk of cyber attacks, the Institute and Faculty of Actuaries (IFoA) has said.

In a publication on the key cyber risks faced by pension schemes, the IFoA warned that cyber risk poses a “significant threat” and has the ability to cripple administration, breach confidentiality or defraud the scheme and employer.

It noted that trustees are ultimately responsible for ensuring adequate protections and mitigations are in place and should seek for both in-house and third-party operations to adhere to basic cyber hygiene principles “at a minimum”.

In considering their personal cyber hygiene, trustees were urged to assess the strength of their passwords, ensure they have adequate virus and anti-malware protections in place, and regularly apply security updates and patches to their operating systems.

The publication, written by IFoA Operational Risk Working Party chair, Patrick Kelliher, and IFoA Cyber Risk Working Party member, Vanessa Jaeger, warned against the use of unsupported software, such as Microsoft Windows 7, which are more vulnerable to an attack.

Trustees were also called upon to assess their email security by monitoring whether they retain scheme correspondence that contains personal data and considering whether any e-signatures used could be used by a cyber criminal to commit fraud.

“Trustees should seek to undertake regular training to ensure that they stay up to date as threats and tactics evolve,” said the IFoA.

“This could be from advisers, the sponsor or using online tools such as UK National Cyber Security Centre (NCSC) guidance. Trustees could also take part in phishing exercises to assist them with staying alert to potentially harmful emails.”

Even with robust controls in place, successful cyber attacks are still possible, the IFoA warned, and suggested that trustees consider whether the third-party has sufficient financial resources to deal with the costs.

This may include their cyber insurance, although the IFoA noted that insurance is unlikely to cover GDPR fines and basic cyber hygiene would still need to be maintained, even if cyber insurance is in place.

“Trustees should also have regard to exposure they have to the employer and should seek assurances as to the strength of employer cyber controls,” the authors continued.

“Employers provide such indemnities by way of the scheme rules, but, for those employers with weaker covenants, trustee may need to consider alternative protections.

“For example, trustees should also enquire about the employer’s insurance policies and whether any of these would cover the scheme as well as the employer from cyber attacks.”

Share Story: