With "European Cybersecurity Month" drawing to a close, and the Pensions Regulator sharpening its focus on cyber risk as part of its new single code of practice, now is the perfect time for pension scheme trustees to consider this area of significant and growing risk to your scheme.
Following the introduction of the General Data Protection Regulation (GDPR), many pension schemes are complying with their legal obligations, but the threat of cyber attacks continues to grow. Indeed, 2020 was the busiest year on record for cyber attacks against UK business, with hackers taking advantage of factors like the pandemic and remote working.
GDPR projects were all about compliance, but the challenge now is about risk management. Cyber security is not a "techy" risk that can simply be eliminated with firewalls and anti-virus software. It is a risk that requires robust governance procedures – assessing, analysing and mitigating the threat to your scheme's IT systems and those of your third party service providers.
The pandemic, the evolution of financial technology and the looming introduction of pensions dashboards mean schemes are under pressure to provide more and more information digitally. This trend, coupled with the renewed emphasis from the Pensions Regulator (TPR) as part of the new single code of practice, means cyber security should be a key focus for pension scheme trustees.
To help better understand and minimise potential threats, our pensions and cyber security experts have prepared a summary of the major issues. Here we set out some of the themes trustees should bear in mind and look at ways to approach cyber risk, based on guidance from TPR and our own experience of supporting trustees facing these threats in real life.
What is cyber risk?
Cyber risk is the risk of loss, disruption or damage caused by a failure or interruption of a scheme's IT systems. It is easy to get lost in the sometimes mind-boggling terminology surrounding cyber security but the key point for trustees to understand is that it is wider than just protecting the personal data of members (which was the focus of GDPR). Cyber risk threatens every part of a pension scheme's operation; from paying monthly pensions all the way up to loss of the scheme's assets.
Assessing the risk to your scheme
The first step to tackling the threat is understanding where the risks lie for your scheme. These depend on a wide range of factors but the questions trustees should ask themselves fall into two categories:
Internal
- Is cyber risk regularly monitored through the risk register or an "own risk assessment"?
- What is the level of trustee knowledge and understanding? This is likely to vary and we can support you with tailored training sessions; designed to suit your needs, whether you are at the start of your thinking on cyber risk, or have been analysing cyber risk for several years.
- Do the trustees have clearly defined roles and responsibilities in relation to cyber security? Is there a policy on system controls (e.g. anti-virus software) and physical controls (e.g. not sharing printers and changing passwords) that all trustees comply with?
External
- Do the trustees have a "cyber risk map" setting out your scheme's connections to anyone who:
- holds personal data about the scheme's members (e.g. sponsoring employers, third party administrators, or online platform operators); or
- holds information about the assets or investments of the scheme (e.g. fund managers, custodians or AVC providers).
- Has an assessment been carried out on the potential vulnerabilities of those third parties and what a cyber attack on any one of them would mean for the trustees and the scheme? How is this addressed in your contracts with those third parties?
Analyse the risk
The next step is to analyse any risks that you have identified. We can help with assessing the legal risk and updating or putting in place governance structures, working alongside your internal or external technical support (as applicable).
TPR's new single code of practice makes clear that trustees should consider to what extent technical support is available in this area. In our view, that does not necessarily mean external IT consultants and additional costs. Instead, you may be able to call on technical experts already employed by your scheme's sponsoring employer (although the terms under which this support is provided will need to be considered). The interests of trustees, sponsoring employers and members are ultimately aligned here – protecting the scheme from cyber-attack should be a priority for all.
Mitigate the risk
Cyber-attacks are increasingly common and, though the risk can never be fully eliminated, there are practical steps trustees can take to protect the business and the scheme, such as:
- ensuring data is backed up and devices used for home working are secure;
- ensuring that secure email domains (rather than personal email accounts) are used for trustee business;
- maintaining policies for data protection, complying with them and regularly reviewing;
- putting in place reporting structures with third party providers to flag cyber incidents and risks; and
- maintaining a breach log and review any incidents to identify themes and recurring issues.
Alongside the practical steps you can take, we can provide support with legal options to better protect the trustee in the event of a cyber-attack. These include renegotiation of contractual protections and advice on obtaining cyber insurance to protect the trustees and the scheme if the worst should happen.
How can we help you?
We have experience of supporting trustees with planning a cyber security strategy, putting policies in place to mitigate risk and supporting you in responding to cyber attacks. The approach can be tailored to your scheme, and scaled to reflect the complexity of the risks you face and the level of time and resources you have available.
Examples of how we can help include:
- TKU - Delivering trustee training on cyber risks and working with you to develop a cyber security project plan to address any areas requiring legal input.
- Assessing the risk - Providing a cyber security questionnaire and a framework for you to use to compare responses to assess your risk levels.
- Analysing the risk - Reporting to you on the contractual protections you have in place with third party providers and identifying any weaknesses.
- Mitigating the risk - Advising on negotiations with third party providers to secure cyber protections and providing legal input on insurance policies the trustees may require.
- Breach response preparedness - Preparing an incident response plan to adopt should the trustees fall victim to a cyber attack and/or breach coaching.
- Assisting immediately after an attack - Advising on breach response, including preventing further losses (of data/assets), notification to insurers, the Information Commissioner's Office, any affected members, the police, TPR and/or any third parties and assisting in making those notifications (if appropriate/required).
- Assisting with asset recovery - Advising on and pursuing claims against third parties to recover scheme assets.
- Responding to claims from members - Advising on and defending the trustee/scheme against claims by affected members arising from any cyber incident.
- Managing reputational risk - Helping you to liaise with the sponsor and third parties to manage the risk of damage to reputation arising from an attack.
For more insight or to discuss any of the above areas where you feel you might benefit from support, please contact Ben Goldby in our Pensions team or Amber Strickland in our Cyber Security & Data Protection Law team.