The importance of cyber security to pension trustees

Unfortunately, they most definitely are! Pension schemes hold large amounts of personal data and assets, and their day-to-day operation requires multiple data transfers. This makes them tempting to cyber fraudsters. A successful cyber attack could result in real financial loss to members and sponsoring employers. Additionally, there is the impact of reputational risk to consider. With potential risks coming from a number of directions, trustees should seriously consider what steps they can take to mitigate those risks. A cyber attack should be thought about in terms of when and not if it will happen.

Trustees have a responsibility to protect their members – and this includes protecting them against ‘cyber risk’. Cyber risk includes risk to information as well as assets, and both internal and external risks need to be considered. Risks need to be managed, and the impact of breaches minimised, but do you understand the cyber risk facing your scheme? 

Being aware of different types of cyber attack is the first step. The more common ways in which they can occur are:

• external attacks, either by malware or social engineering
• internal risks, either by accident or intentional attacks
• risks related to the transfer of confidential data

Assessing and managing risk

Trustees should put in place processes to build cyber resilience. These should assess and minimise the risk of an incident occurring, but also ensure recovery when it does. Victims of cyber fraud face many consequences, including fines, inability to correctly pay benefits, and reputational damage. Being aware of cyber fraud is only the beginning of the story, and trustees should also have a plan in place to respond to an attack. 

Where are your weakest links, and are you aware of any potential exposure to cyber risk? Do you have a response plan should your scheme be subject to a cyber-attack?

Remote working challenges

The pandemic has forced most of us to find a new way of working, and working from home has become the ‘new normal’. With most companies adapting well, the new normal is likely to be here to stay, at least to some extent - but this flexibility is also forcing us to confront different challenges. 

Remote working has increased the awareness of cyber risks, and trustees need to take steps to make sure their scheme is protected. Issues that may have fallen under the radar previously include:

• the dangers of printing sensitive data or downloading it to a memory stick
• whether Wi-Fi can be accessed by others
• the need to dispose of printed data securely
• whether personal devices are secure
• security of virtual meetings

Data security concerns are no longer mainly confined to offices, and trustees need to rely on the IT systems of their service providers as well as their own. As data controllers, trustees are ultimately responsible for what happens to scheme data and need to ask the right questions to understand their exposure to cyber-related risks. Anyone, even the most experienced advisers and trustees, can fall victim to a phishing email - all it takes is one click of a mouse.

Results from the 2021 Winmark Pension Chair Remuneration report indicate that a significant majority of respondents (84%) expect at least some of their meetings to remain virtual in the long term. This suggests that the additional cyber risks related to remote working are here to stay. 

It is not surprising that the Winmark Report also found that 64% of respondents expect increased cyber security threats due to the new ways of working, and 67% consider mitigating cyber risks to be a priority for their scheme in the next two to three years. When it comes to cyber risk, nobody can afford to become complacent.

Do your procedures need to be updated to reflect remote working challenges? 

What action can trustees take?

Cyber security should be frequently raised before and at meetings, no matter the size of the scheme. Trustees should also work with their service providers to understand exactly how they are managing cyber risk. Unfortunately, it’s not enough to rely on advisers simply saying that they have robust policies in place. 

When was the last time you asked your service providers and advisers if they have updated their cyber policies or whether they have provided mandatory cyber training to employees?

When looking at your cyber security framework, bear in mind that trustees aren’t immune to cyber attacks themselves. In fact, it is probably more likely that a trustee using a personal email address and device will be targeted by criminals and, more importantly, for that attack to be successful.

Trustees should be familiar with their own policies and procedures. Remember, cyber risk is constantly evolving, so any controls need to be monitored and adapted to respond to changes. Trustees are responsible for member data and the safe custody of assets, and should be taking all reasonable steps possible to keep these things safe.

Here are some of the actions we believe trustees should take to protect themselves and their schemes against cyber risk:

• update their risk registers to make sure their cyber risk controls are sufficiently robust
• ensure trustees and data processors undertake frequent training on cyber security risks
• review the security of their own systems, policies and procedures engaging specialist cyber security and risk consultants to provide support where necessary 
• make sure that they are storing and transferring data in a secure way
• put a cyber security policy and incident response plan in place
• undertake an annual review of cyber controls using a cyber checklist

The Pensions Administration Standards Association’s (PASA) Cyber Security Guidance recommends several additional key organisational controls which can mitigate cyber security risks. More information can be found here.

What’s next in cyber security?

Risks related to cyber security are ever evolving, and The Pensions Regulator (TPR) recommends a dynamic response as fraudsters are constantly looking for new ways to get their hands on data and assets. 

The National Cyber Security Centre (NCSC) is a good source of information and guidance on cyber threats, including a weekly threat report. The most recent threat report can be found here. 

You may also be aware that TPR’s new Code of Practice (“the new Code” – currently draft with the final version due in 2022) will include a section on cyber controls. The new Code states that for pension schemes an effective system of governance (ESOG) including internal controls needs to include measures to reduce cyber risk. It also says that functioning cyber controls will assist trustees in complying with data protection legislation and may reduce liabilities in the event of a data breach. 

The new Code includes specific expectations for trustees on how to assess and manage cyber risk. Schemes with at least 100 members will need to document the effectiveness of these steps in their Own Risk Assessment (ORA). 

How we can help

We have a dedicated UK-wide Pension Management team with specialists who can help deliver services for cyber security, including:

• cyber security awareness training for trustees (and scenario testing);
• an assessment of existing cyber security policies and documents, followed by help in developing a robust cyber security policy and an incident response plan if one does not exist;
• assistance with a regular review of existing cyber security procedures, policies and incident response plans; and
• guidance on the assessment of advisers for cyber security risk and resilience - BW provides internal training on information security to ensure that as advisers we are meeting the requirements, but trustees may also need assistance in taking a holistic view of all the scheme’s advisers and processes.

For more information please contact your usual BW consultant, or Lucy Cresswell using the contact details below, or Anne Lynch in our Pension Management team on anne.lynch@barnett-waddingham.co.uk.