It is expected that the trend of high-profile cyber security incidents will continue for the rest of the year and the rest of the decade. It is only a matter of time before we see significant incidents for a range of pension schemes.
Pension schemes present criminals with a potential source of significant quantities of data and assets. The industry and the Pensions Regulator (TPR) recognise that schemes are a prime target for fraudsters and criminals.
TPR’s published guidance highlights that all ‘pension scheme trustees need to take active steps to protect members and assets against cyber risk’ and the Pensions Administration Standards Association (PASA) recommends that trustees prepare for when a cyber security incident occurs rather than if.
It is impossible to remove all risk of a cyber security incident taking place, but here are the recommended steps we think pension scheme trustees should take now to significantly reduce the risks.
Carry out an initial risk assessment
A first step is to review your current security levels and consider whether there are any weak links in your processes. For example, do the trustees have secure email addresses and secure devices on which they access scheme data?
Is it possible to anonymise meeting papers further to limit the amount of data being transferred between parties? If there are any weak links consider how to make the security around these more robust.
Have an incident response plan in place
If a cyber security attack were to take place do you know what steps you would take to deal with it? All decisions and remedial action will need to happen very quickly. It is vital to plan your response in advance, mapping out what the process would be and who the key decision-makers are if an incident took place.
Audit your advisers/suppliers
Have you asked questions of your key third-party suppliers – including scheme administrators and investment managers – about what they would do if a cyber security attack were to take place that affected your scheme?
Do they have an incident response plan of their own? It is also worth reviewing the contracts for these suppliers to understand where responsibility for a cyber security breach would lie? If this is not currently covered in your contract then you should consider setting this out for clarity.
Consider your insurance
What insurance cover (if any) do you have that you could call on in the event of a cyber security attack? If you have insufficient or no insurance consider whether there is any cover (or additional cover) that you should put in place now.
Monitor cyber risk
A pension scheme’s cyber risks should be assessed, recorded in the scheme’s risk register and regularly reviewed.
Have trustee training
Does the trustee board know what to look for? What are the warning signs of cyber security scams and common preventative measures? PASA’s guidance highlights that human error is the most common cause of cyber security breaches; training is a vital mitigating step against this risk.
Samantha Howell is an associate in the pensions team at Burges Salmon