Ben Goldby: So good morning everybody, we are just seeing the participant numbers ticking up in the bottom corner of my screen so we are going to get underway because we are joined by a chair of trustees today who I know likes to keep things running to time. So I don't want to offend Grant at all this morning.
So thank you very much for joining this cyber security webinar. We are really lucky to have with us today some experts within the industry, so I am going to be your host for today, my name is Ben Goldby I am a pensions lawyer as you can probably see from what I am wearing and the grey background. I am joined by colleague at Gowling WLG, Helen Davenport, Helen is a partner in our disputes team and she is a cyber-security and data protection expert with first-hand experience of dealing with cyber-attacks and we are also joined by Grant Suckling from Ross Trustees, Grant has over 20 years experience in the pensions industry and he is on the front line in supporting clients with cyber risk management.
So you will have a good range of people with pensions backgrounds there and the expertise from the disputes side.
So the intention of today's session really is to give you as many practical tips as we can on how to address the cyber risk that is facing your pension scheme. It is a risk that is facing all pension schemes and it's going up risk registers as we speak so it is on lots of people's agendas, how do we deal with it and how do we address the practical day to day things that we can do as trustees and as advisors and independent trustees to change behaviour and approach and make sure that we are mitigating this risk.
So we are going to start with some background from me on the pensions regulatory landscape, I am then going to hand over to Helen and Grant and they are going to look at the five key pillars of managing cyber risk that you can see on your slide there, so that is understanding assessing, control and mitigation, monitoring and minimising a cyber-attack and then we have left ten minutes there at the end for questions. If you have any questions during the session please submit them using the Q&A function in the bottom window there of the zoom, we are going to endeavour to get to as many of those as we possibly can. If we do not get to your question we will respond by email, so if you just put your name on your question we will have your contact details from your sign up to this webinar. If you would like to stay anonymous please just put the word anonymous at the start and even though we have got your details we will not read them out when we deal with your question.
So as I say just to start of just ten minutes from me with a little bit of help from Grant about the regulatory landscape there, so I am indebted to my colleague Rosie who is moving through these slides for me, thank you very much Rosie.
So why is cyber security and cyber risk on our agendas now. We first and foremost we have got the ESOG and the single code of practice. The effective system of governance has been a requirement for UK pensions schemes for a while actually, it has been in place since February of 2019, but most trustees are only starting to focus on the issue now because we have got the regulators single code of practice that is available in draft and that effectively puts some meat on the bones of the ESOG requirement that is in the legislation.
One of the things that is identified there in the single code is the need to establish controls and identify risks in relation to cyber security and there is a separate module within the draft single code that covers cyber risk. I know that we are all eagerly anticipating the final version of the single code, I think it is unlikely that the cyber requirements are going to go down at all, if anything they might go up.
So the ESOG requires you to adopt a risk management function proportionate to the size, nature, scale and complexity of your pension scheme. Now that is obviously helpful if you are smaller pension scheme, but the larger you are the more complex you are, the more sophisticated the system that you need to have in place to deal with cyber security. So that is the wider regulatory context.
There are two more points that I just wanted to draw out on this slide. The first one is really quite a general point about the world that we all live in now. So the extra increase in homeworking, the political instability stemming from the war in Ukraine and the increasing sophistication of the attackers as we all spend more and more of our lives online and dealing with each other through email. And finally on this slide you will be relieved to know we are not going to be talking too much about pensions today – that is a topic for another session but it is important to have in mind that the staging dates are going to come around much sooner than maybe some others have been thinking and that most schemes are going to be looking at a compliance project for dashboards in 2024 and 2025.
The cyber risks involved are significant because what dashboards are going to do is to shine a giant spotlight on the schemes data, so having an in place and effective system for dealing with cyber security is an important part of your preparation.
Grant Suckling: Thank Ben, I agree on the increasing threat of cyber security, it is something I have been quite concerned about recently following all of the investment collateral cause with experience and the sheer volume and last minute request to move significant amounts of money around and in terms of where cyber sits on risk registers and how to prioritise it without losing sight of other risks. Well the good news is cyber is and has been on most risk registers for a while now. It typically sits amongst a whole list of risks and so it can often get lost or be difficult to see the wood through the trees.
It is also a bit harder to score and rate and mitigate against so perhaps it can sometimes get left in that too difficult pile. Some schemes I am involved in have a top ten risk summary for their risk registers which I would encourage and it is there I would expect to see cyber showing in its red, amber, green status. Particularly as cyber instances for pensions schemes have more than doubled over the last two years and that risk, as Ben says, can only be increasing.
Now across the industry we are all acutely aware of the number of things to do and comply with for our pension schemes. The ESOG and all the requirements increase that significantly which includes the requirement to have a cyber-security policy. It is important to remain pragmatic and proportionate, my two favours p's as a trustee and advisor for your schemes in terms of the various policies.
But one would think or hope that the requirements to have a cyber-policy in place and then making it could features higher up the agenda in terms of compliance and important than perhaps some of the other more operational policies given the risk and significance that cyber security brings. Of course having a policy in place to meet a requirement is one thing, knowing what you will do with it when you need to move quickly, checking it works and that as a trustee you are comfortable with the protections and protocols in place is quite another.
Ben: Thanks Grant it is really helpful to have that front line experience there and I know that you are going to be contributing with that throughout so that is great thank you.
So moving on to my next slide, just some general points really to keep in mind throughout this session. The first is that we are not just talking about personal data here and I have used the dreaded four letters GDPR on this slide. We are not just talking about this data we are about four years on with it, over four years on, and it is difficult to think of that with the pandemic we have had in between, but 2018 was a sort of GDPR deadline and I know most pension schemes went through a really detailed process of assessing technical and organisational measures, particularly with third party suppliers. With GDPR all of the focus, and rightly so, was on personal and sensitive personal data.
This cyber risk we are talking about here is much wider than that, so whilst data protection legislation only applied to personal and sensitive personal data, the risk of a loss of any sort of data for example passwords or pins might lead to an attack which targets the assets of the scheme not just the personal data of members.
Grant: And I think Ben for me, the key thing here is just you know, data protection legislation, you know it is more than a governance issue. Protection against cyber-attack is a matter of risk management in a similar way to other types of risk that we run as trustees, investment losses, covenant deterioration, it is right up there. It is not as simple as that tick box exercise I referred to, an issue of privacy notice for example. It really does need to be baked into the processes of the trustee board.
Ben: Yes thanks Grant, agreed and my second bullet point goes to it, a similar point really, which is that back in 2018 many of your custodians or investment advisors, those who do not handle your member data gave quite limited responses to trustee questionnaires about what practices they had in place. A cyber-attack can easily affect one of those providers as well and can have quite a devastating impact of the scheme and lead to loss of assets and Grant talked a little bit earlier about the volume of collateral calls at the moment, so it is just keeping in mind that cyber risk as a whole scheme problem not just a member data problem.
My third bullet point there is really quite self-explanatory and I have used a nice sobering statistic on the slides there but it is just to say that cyber security is not an abstract risk, trustees need to have appropriate safeguards in place but human error is really the key issue here, so according to the ICO the most common human error is sending information to the wrong recipient, the wrong email, or the wrong postal address. I think lots of people on this call will have done that at some stage in their life, probably sometimes to quite embarrassing effect speaking from personal experience, but that is one of the key areas that we need to focus on and try to mitigate against and that again plays into my final point here on this slide which is that this is not a techy risk, it is not something that we need to be solely addressing through firewall software, we need to not get lost in the language about this, it is smack bang in the middle of what trustees should be looking at from a risk management perspective.
Grant: And Ben I agree on the human error point as a chair of trustees that is where you tend to see the data breaches occur, or the potentials for cyber security and so Helen and I are going to cover that later but it is not just about training once, it is about a reminder about simulating and those phishing emails to really just keep everyone on their toes, to remember it could be so easily done.
And the other point really for me is you know, how does this relate to protecting the pension scheme's assets and data? Well it is right in the middle of what we, as trustees, need to do from a risk management perspective: complying with regulatory guidance; reviewing contractual protections; drafting or reviewing policies; reporting breaches where they happen or considering whether to report – it is all part of how we can protect our scheme from these risks.
Ben: Totally agree with that Grant. So I am just going to briefly set the scene on my final slide here before I handover to Helen and Grant. Just to point out that there is a lot of guidance out there about cyber security, there is a lot of engagement in the industry which is really great to see. What we have drawn together is really our summary of the regulators' cyber security guidance which was first published back in April 2018, but it has been updated; the guidance from PASA, that is the administration organisation, back in November 2020; and the more recent and really helpful guidance from the Pensions and Life Time Savings Association.
So we have sub‑divided it into the areas that you can see there on your slide. Understanding; what you need to protect; assessing the threat; putting into place those appropriate controls and controls are built into that idea of the ESOG, as part of your single code compliance projects; monitoring the threat; and then responding to instances and minimising the impact. So, I can see that Helen is now on camera and ready to take up the baton so I will pass over to you, Helen.
Helen Davenport: Thank you Ben. So as Ben said, we are going to talk through each of those pillars with a practical focus. So let us start with that first then.
So the importance of understanding the threat to the pension's scheme. Now traditionally, larger organisations, those holding sort of greatest value in terms of assets, have really been the targets for cyber criminals and that certainly remains the case, but it is important to bear in mind that we have seen cyber criminals look to target a whole range of different sizes of organisations and in very many different sectors.
So trustees really need to understand first of all what makes a pension scheme an attractive target to cyber criminals? And what is it you really need to protect? Well, you have potentially got large amounts of data, valuable assets and that makes an attractive target. That data or those assets are potentially useful to attackers so they might be able to use personal data in terms of identity theft. They may be looking to attack assets, money to get their hands on or potentially to hold you to ransom for the assets that you have got.
And within any pension scheme there is often a sort of range of IT systems relied upon, so the sponsor's IT systems may play a part. Third parties may also be part of that sort of IT system or frame work as well and then there is also the personal set‑up of individuals. So there is a risk of gaps in that landscape which can potentially be exploited.
It is also really important that trustees understand the threats or the perceived threats to pension schemes, so is that unauthorised access to data which I have already started to talk about in terms of the threat of hacking or is it internal risks like shared printers or outdated software?
Grant: Helen, I would agree with the point about the large amounts of data. Our pension schemes hold and receive a lot of data and we are responsible for a large amounts of assets. As Ben said earlier, there has never been more data moving around than today and at speed which, of course, brings additional risks and responsibilities and vulnerabilities. We have seen an uptake in on‑line meetings, working from home and an increased focus on "just in time" decision making, particular around investment and moving monies all contribute to this issue around cyber for all schemes.
In terms of the perceived threats – some examples of threats that I have heard about or seen, as a professional trustee, emails can be intercepted; email accounts can be compromised; we might get calls from people who may not be who you think they are. You can sometimes get call backs from investment managers several weeks or several months after you have processed the forms and to check the changes and, by then, you have moved on. So actually having to go back and check, it is who you were expecting to speak to and that those account details match. Same with disinvestment signatures.
And the other bits to be aware of, signatures are getting more and more out in the public domain so thinking twice about signatures actually being on‑line in statement of investment principles, government statements etc., so maybe a take‑away from today is to publish redacted versions as well as keep the originals on file.
And, of course, there is danger here between the distinction, if we are not careful of well governed schemes that can and do take on the threat and put mitigation plans in place, compared to those less well governed schemes that do not do enough to understand the threat.
Helen: So, as we have just touched upon, we have got cyber‑attacks that are becoming increasingly more sophisticated; attackers finding more innovative ways to hack into systems, but that being said, as Grant has just touched upon, it is still possible to take on that threat, to reduce the risk of a cyber‑attack and the next stage is really assessing that risk and deciding what steps you should, or you want to, take.
Now you should start by conducting a cyber‑security risk assessment to help uncover potential gaps in your security. Now if you have got an internal IT team you can call upon, then they can help or you might be able to use the sponsor's IT team and they can then help you with that risk assessment. Alternatively, you may be able to bring in a third party IT expert to help you and then they will be able to stress test your systems and tell you where your vulnerabilities are and you will want to keep that under review.
There are some other important parts in this risk assessment. You want to bear in mind your legal and regulatory obligations; what you need to do to aim to achieve compliance and, as Ben talked about earlier, that may vary depending on the size of the scheme. You will also want to bear in mind your available resources, so I have just touched upon the fact that different schemes may have different resources – whether that is the sponsor's IT team or you may need to rely on external help – you will need to factor in those available resources in deciding the steps that you are going to take and you will also want to bear in mind your appetite for risk and actually what you want to do; what you can address in that context.
And this is also a good place to talk about some scheme specific aspects which Grant is going to talk about.
Grant: Thanks Helen. I think your earlier point about a multi‑employer scheme will have far greater data flows between different sponsors and the scheme and might also have diverging standards and approaches to data protection and cyber‑security within each of the sponsors. So that is harder, in the circumstances, for a trustee that whilst, in theory, you have got a plan and a policy then trying to join all those dots to keep it a consistent approach where there are so many stakeholders following their own policies. Now whether a "board and braces" cyber‑risk mitigation with a capital "C" or a small "c", if I have got that the right way there on the screen, depends on its budgets and circumstances.
But, in all cases, it is essential to carry out some form of cyber‑security risk assessment. Everyone is short of time, we have got competing priorities, but we will spend far more time and cost dealing with the aftermath of a cyber‑attack then spending a little of both time and cost upfront. So when it comes to Helen's point on available resources, it really is about maximising the resources available. So have your sponsors got their own plans and support in‑house that can help? Have your third party advisors and providers got cyber‑security plans in place and independent assessments that have tested those plans? And do your third party advisors have templates on cyber‑security policies so that, in your budget constraints, you can lift off the shelf and start from there.
Helen: So we have talked about understanding the threat, we have talked about assessing that threat and, in the next slides, we want to talk… we will come on to now in more detail about controls and mitigating that threat. Now I have got two slides on this – this first one is about governance and the documents and the other processes that act as controls and then I am going to come on to more technical and practical measures.
But the first point on this one is then one of management and governance. It is really important to have structures, policies and procedures in place setting out how the cyber‑security risks will be controlled and capturing those outcomes. So there should be a cyber‑security policy; there will also need to be documentation that captures the roles, the key people involved; their responsibilities and the decisions that they will take in respect of cyber‑security; and there will also want to be captured, maintained and retained that risk assessment, that we have already talked about in the previous slides. There also should be a record of the assets that the scheme has and what you are doing to protect those.
So that is the management and governance aspects. You should also, as we have touched on earlier, be looking at your supply chain because third parties can add... or carry cyber‑risks for you and this is particularly an area of focus, not just within pension schemes but all organisations at the moment because there is an awareness, including at government level, that we have got a limited number sort of key players in supply chains who are really carrying a significant amount of cyber‑risk for all of their customers.
So what you want to do is, you want to review your contracts with third party suppliers; you want to look around what obligations they have or audit rights you might have and what recourse you might have if something potentially goes wrong.
Grant: And Helen, just to pull out the risk assessment there perhaps with an example. So I spoke earlier about the increasing risk with short notice collateral clause – so, in those cases, having a moving money protocol in place is key from a risk cyber prospective to check, as an additional step, that the request is genuine and money is going to the right place. So, for example, its sounds inriskto the detail but really important you know the bank account, the sort code and the account number – does that match the trustee's records that you have seen before, so that it is verified and someone has not intercepted that email or instruction in the post. And has it been confirmed via a call back with the investment manager or consultant. That is really all what happens when policies meet practice.
Much of the hard work has probably, and hopefully, already been done by others that look at this, so leverage that and spend the time thinking about your scheme's specifics and where any gaps might be. For example, the flow of information around trustees to and from the company.
Helen: So let us now talk through some of those practical and technical controls that you may potentially put in place. So the first one I have got on the slide is around limiting network access and identity controls. It may not be necessary for all users to have access to the member data or certain parts of your systems and you should look to ensure that access is limited on a "need to know" basis.
The next item is data security. So limiting again the sharing of data, limiting the data that you hold to what is necessary and, where possible, avoiding the use of personal devices and the use of personal email addresses within the scheme which may add additional risk and additional systems into this overall framework of IT systems which are making up those that you rely upon. Then we have got system security and your IT experts will be in a position to assist you with this by identifying the necessary firewalls and anti‑virus software and any other programmes which should be implemented in order to close vulnerabilities in the system.
And then we have got resilience preparation. Now in the event that you do have a cyber‑attack and an attacker encrypts or erases data, it is really important that you have got a back‑up available and that back‑up is recent and useful. You also need to ensure that everyone, including the IT team, your non‑technical employees and anyone that would be involved in incident response knows what they are responsible for and what they should be doing in the event of a data breach or attack. So that is the document very often referred to, sort of capturing all of that information, as an incident response plan and you should have one of those, as well as a business continuity plan which details the strategy as to how keep the scheme business going in the event of an attack.
And the last item on the slide in terms of resilience preparation is cyber liability insurance. So a specialist policy which, depending on the terms, may provide a range of things in the event of a cyber‑attack. It may potentially cover your losses, but it may also help you with third party specialists who will come in and help you in the event of a cyber‑attack, which is also an important benefit for insureds that they often look to. So consider cyber liability insurance if you have not got some in place.
And then the final item – awareness and training. So Grant did touch on training earlier. The importance of having training and also keeping that training up‑to‑date and rolling it out again. If anyone has reported a data breach to the ICO you will know that one of the questions that is asked is, "whether the staff member involved had had data protection training in the last two years?" and obviously it is important and highly desirable to be able to answer "yes" to that question and to move on to other issues.
Grant: I agree Helen, having had to report data breaches that I have seen across some of my schemes and advisors in the past, that is where you want "all your ducks in a row" in terms of the governance and the steps you have taken because as Ben says, it does happen, but it is actually what was done and what mitigation processes were in place and putting it right going forward.
So what does "good" look like in these areas from a trustee perspective? Well, doing all of the above that Helen has described, "I guess I would say that wouldn't I, but it is true!" As trustees really we need to seek help in those areas from others and, at the very least, we need to have worked through each area; understand what is in place and the shortfalls; and made a conscious decision whether to tackle the shortfalls and if not, why not?
A quick reminder about purpose limitation, one of the best controls that we could have in place as trustees and advisors is not to share data in the first place. So ask the question "does the recipient really need to know what you are planning to send them?" and it is really important for us, as trustees, to limit the flow of data. I find, as a trustee, when people are trying to be helpful, all sorts of data flows backwards and forwards on an email on an individual or on a group basis to my own co‑board, by co‑trustees.
It is a good discipline to spot data when it comes in and consider when it is necessary as that can lead to changing the processes. So, to give an example, sometimes you might see data being shared and just going "actually that shouldn't be shared" or "we don't need to see that", deleting emails with the data on or responding to emails – taking out the email trail below and removing the attachment, really all leads to refining and limiting processes as a result. The fewer people that have the data, the better in terms of risk mitigation and cyber‑protection.
And I think two key areas that Helen has mentioned there where trustee boards achieve either "good" or "great" in this area are around the resilience preparation and the training. As Ben mentioned earlier, the most likely risk and cause is human error so training and frequent reminders of training as Helen said is really important.
Helen: So we have talked about the controls and the mitigations that you should put in place to combat the cyber‑threat, the next pillar is monitoring the threat and this is really important in terms of on‑going vigilance and also because this threat is sort of constantly evolving over time. So internally you want to be clear, where is monitoring happening? How is monitoring happening? And who is responsible for that? And again this can potentially be captured in the documentation we talked about earlier.
You will also want to be doing monitoring externally so looking for information on threats; on vulnerabilities; what is happening in the market, in the sector; what experiences are others having? Also looking at other potential sources of external threat, so again we talked about the supply chain, your suppliers and carrying out audits to make sure they are doing what they committed they would do in contracts and not increasing the threat that you may face.
Internally, again recommended to carry out testing or dry runs of your cyber incident policy. What would happen in the event of an incident? And having carried out those testing or dry runs, to really look at what lessons can be learned from actually trying to carry out that plan in practice. And a key thing there is, as much as possible try and involve third parties who perhaps have not put the document together so you do not get into a position where effectively you are "marking your homework". Try and expect or deal with, I should say, the unexpected.
Grant: So how, as a trustee, do we test our policies and cyber resilience? At Ross Trustees we see there being eight focus areas: there is the policy itself; there is the cyber map or assessment; the third party assessment; specialist support; liaising with the sponsoring employer; testing and maintenance, as Helen says; trustee indemnity insurance; and training. Phew, actually I did count eight there, good!
But I appreciate that is a lot to take in in a training session in itself, what Helen and I cover on this slide. But what I would like to bring up, from personal experience, is war gaming – there is incredible value with trustee board sponsors and advisors taking the time to test what would happen and how quickly we could move in the event of a cyber‑incident. And, of course, we have got many across the industry who are on hand to help with such exercises. This can be at a trustee meeting, a session which starts something like "there has been a cyber‑attack on X provider" which potentially affects the pension scheme and then you grab that policy, bring it to life and what you would do.
And that often flushes out some matters that do not work as well. Again the approach taken will be scheme specific and depend upon the board. I am seeing the requirement to address cyber‑security translating to different approaches for different schemes. It is typically the larger ones with time, resource and budget that are already complying with the requirements. They have got a policy in place, they have war gamed. But for others who are working towards or doing so, at least by the time the requirement comes in we hope, as a minimum to have a cyber‑policy in place.
It is recognised it is more challenging for the smaller, less well funded schemes without the budget and resource and for those where there are other urgent priorities around funding investment and covenant, but those schemes do still need a cyber‑policy in place to protect members, sponsors, assets and payments being made to our members. So I will say it again, "test your policies and plans" as things will come out of the woodwork. One that Ben and I tested, you know "how do you get hold of the right person within the sponsor, who is based overseas, to have a conversation on a Friday evening about a cyber‑incident?"
So really think about the most potentially damaging scenario to the scheme as well. So if we take a moment to picture who is the most involved person on our pension scheme. Is that the secretary to the trustee, the pension's manager, the chair of trustee, in the day‑to‑day running of the scheme? If you picture them for a minute, what if they suffer that cyber‑attack? It is worth working through that scenario to really test the policy.
Helen: Thanks Grant, I think that is really helpful in bringing out some of those points particularly on the testing and dry runs and learning those lessons that I touched upon. So we have talked about monitoring. Now the next pillar – we are going to look at minimising and responding to a cyber‑attack.
Now a cyber‑attack is usually sophisticated, or in many cases sophisticated, and can be difficult to identify and depending on the protections and the controls that you have got in place it may, nevertheless, be some time before you realise that something is actually wrong. However, there are some red flags that it can be useful to look out for in the event that you have been compromised and may help you to spot something that is wrong sooner. So we have got those on this particular slide.
So you may find that your computer, or your other devices, are running extremely slowly or failing to load, software not starting up in good time. If that is unusual, then that could be a sign of a hacker tool like a trojan worm or some other ransomware having affected your system. If you or your colleagues cannot log in despite using the correct user credentials then again that may be an indication that an attacker has tampered in some way with your system. You should look out for emails which you would not usually expect to see, like password reset emails or containing links to third party websites, which you should of course refrain from opening.
And those sort of phishing emails are often also the subject of something that you could test for with the help of IT experts, in terms of rolling out emails through your systems and checking that people are not clicking on them. But if you are getting those links, it is always important to report it to someone and see if they are actually something that a hacker is trying to hack your systems.
If you find a piece of software inexplicably unavailable or is crashing when updating or running extremely slowly then again this could be a sign of an indication that an attacker has taken control of your systems. Similarly new or an unauthorised software installations resets or shut‑downs, in circumstances where there is no legitimate explanation, that may also be an indication that an attacker is operating your system remotely or is installing a hacker tool. Whether it is a custodial of assets or data or any third party advisor tells you that they have suffered a cyber‑attack then, depending on the nature of the attack and your relationship with the third party, there is a risk that the attacker has also impacted on your systems as well.
But either way you will want to respond extremely quickly to that and involve the right people to make sure that you are protected and that you are taking all steps to respond to the threat to the third party as well. Sometimes hackers will also try and conduct test attacks on your systems to try and identify vulnerabilities. Even if your IT team are able to fend off that smaller attack, it may be or it is important to be extra vigilant for something larger following because that small attack may just be precursor to something else.
And finally, notifications from attackers will also… if one comes through, is obviously an indicator that you have been compromised and you will want to respond to that and very often notifications from attackers are accompanied by demands for ransom payments and you will want to take advice on that. But in all of these things, the absolute key is to respond quickly as soon as something like this is spotted and to also make sure that anyone who does experience one of these things knows exactly who they need to contact in that situation. And that should be captured in the instance response plan and rolled out in terms of the training that we have talked about so that everyone has got, at their fingertips, what they need to do without potentially having to rely on the documentation because that could be on the compromised system.
Grant: I agree Helen, particularly on that point about being able to act quickly. It is not a problem you can ignore when it arises, it is about how you deal with it and how quickly on the cyber‑attack. So just three points to pull out here that Helen has built on really. It is about having… to help with this IT assistants – we will come on to communications later – but you can have draft communication templates ready to go. And really for me as a chair of trustees, it is engaging with your legal advisor. So having them on the cyber security policy as it is likely you will need their help, particularly if the cyber security attack is one of your advisors.
Helen: So minimising a cyber‑attack – the final pillar. And we have talked about moving quickly and Grant has helpfully sort of started to touch on some of these that I have got on the slide in terms of getting IT assistance and engaging with legal and potential notifications. But there are a few others which I will just touch on in a bit more detail.
So we have talked about putting or having plans in place, the instance response plan. Really important to put that plan into action from an audit trail perspective and also to maximise all the effort that you have put into having that plan. You want to make use of that plan and if somebody comes along afterwards and sort of looks at your response then it obviously looks more credible to have actually followed the plan that you thought was a good idea to put in place beforehand.
The fourth point, contacting your cyber insurer – so this is one to bear in mind and not get lost when you are dealing with the immediate aftermath of an incident. The policy will usually provide contact details in terms of making a notification and insurers are likely to want information in terms of what has happened and what has gone on. But the key thing here, from a sort of maximising the pension scheme's position, is to make sure that you comply with any notification requirements so you do not lose the opportunity to rely on your cyber insurance down the line. And also that you are properly engaging with the cyber insurer in terms of making any big decisions in terms of what you might tell affected individuals or what you might tell third parties about what has happened because the insurer may also have a view on that in terms of, if they are then going to pay out and any consequences that might follow from those big decisions.
So the fifth point, your legal team will be able to help you with advice in terms of notifications – whether that is to the regulator, either in terms of data protection or the data regulator, what you might say to affected members, what you should tell the police and all of the third parties such as the NCSC. So those are the notifications that you will want to consider. You may also need further IT help, at this stage, to investigate what has gone on and to help you restore corrupted or encrypted files, as Grant has touched on, that is really important.
In any incident, obviously you would wish that that incident has not happened but there will always be lessons to be learned from any incidents, so that is an important point to bear in mind at the end. If you do go through an incident think about what you have learned, what you would take into account next time and how you might change your policies and documents as a consequence.
Grant: So Helen and Ben, perhaps a thought from me to leave our audience with. So for me, as a trustee, it is important to committing some time to spend on this and some budget as we will spend far more time and cost dealing with the aftermath of a cyber‑security then we will spending a little more time and money up front. I think it is time well spent, particularly as cyber-risks becomes increasing up the risk agenda.
Helen: Thank you Grant. So that is really important. I just had one closing thought which I just wanted to add in terms of what I was talking about in terms of dealing with an incident and that is, just to bear in mind that again you will be taking actions quickly. You might be creating documentation and it is important to bear in mind, at that stage, that any documentation that you could be creating could be disclosable in a piece of litigation or it could be disclosable to the regulator. So what you should be doing is, where you are creating those internal documents for your own records, making sure they are factual where possible and avoid drawing any sort of conclusions or admitting fault in the first instance.
But finally, I just wanted to round up with some thoughts based on everything Ben, Grant and I have covered in terms of what you can do after today's session and we have… I think the first thing to acknowledge is that we have covered a lot in that time and this is not something, as will be apparent in what we have discussed, that can really be dealt with by one person in isolation. It does require the help of IT, it might require the help of sponsor and other third parties. But what we have tried to encapsulate here are some things that we think are ones to focus on really in terms of after today's session. It might be overstating it to call them "quick wins" but things which you can nevertheless make progress on.
So the first item we have got is updating the risk register in terms of that risk assessment and potentially also looking at assessing your own position as well; including cyber‑risks in the single code compliance projects; considering your own personal IT set-up, so as I have touched upon considerably IT help may be required or at least useful in terms of looking at the scheme's overall position. But, as a starting point, you can look at your own personal IT set‑up because actually getting any issues that you might obviously experience personally will obviously be an issue for the scheme overall and also an issue for you – so one to avoid.
Thinking about those third party providers so, if you have not already, issuing questionnaires to them in terms of what cyber‑security measures they have got in place and when the responses come in, considering those in due course. Looking at whether you have got an incident response plan if not adopting one, or looking back at what you have already got in place and considering whether it should be updated. And then the last item I have got there is considering insurance. Now in the context of this session what I have talked about is obviously insurance for the scheme and the potential advantages to the scheme in having insurance in place, but you might also want to consider your own position, in the first instance, as well.
Ben: Okay, thanks very much to Helen and Grant and we have stuck fantastically well to time, I think. I think that is your influence Grant, it usually happens when you are on a call. So I am pleased to say we have some questions from our audience so thank you all very much for your engagement so far and we will get to as many of those as we possibly can. I will give the other panellists, who have been doing a lot of work over the last half an hour, a chance to have a quick look at those questions and I will take the first one from an anonymous attendee.
So the question is, "as consultants, how can we help pensioner trustees who have Gmail/Hotmail addresses to protect themselves and their devices from a cyber-attack?"
So I think this is a really helpful and really practical question because the reality for a lot of our clients is that we do have pensioner trustees or just trustees generally who have non‑company email addresses, so they do not work for the sponsor anymore – they do not have company.com email addresses. I think it goes back to the training point, first and foremost, so understanding the importance of having protections in place, understanding the importance of doing things like updating your files, updating your anti‑virus software, so taking those easy wins, those simple things that you can do to improve the security of your home computers and email addresses.
But it also goes to the point that Grant was talking about earlier about purpose limitation and making sure we are only sharing the data that is absolutely necessary and we can always take additional steps to further protect that document if it has to go to a Gmail/Hotmail account that is not specific to those email addresses. They are just not company email addresses that is what we are talking about here. And so using things like password protected documents, even something as sophisticated as two factor authentication, so somebody can access a document and then taking the document that is within that document and doing our best to minimise it, so that might involve something like sudominasion so making sure that it is harder to trace who the person is that we are talking about, like using member numbers – things like that. So making the jigsaw harder to put together for somebody who might access the document. So thank you very much for that question from our anonymous attendee there.
I have got a question here which I think is probably well suited to Helen which is, "how does Gowling assist a client affected in multi‑jurisdictions by a cyber‑security incident?" So thank you Maria for that question and Helen, can I pass over to you.
Helen: Of course. So, this is not uncommon that a cyber‑security incident can potentially affect a client in multi‑jurisdictions because, as we know, cyber‑criminals do not treat our country boundaries or jurisdictional boundaries with any importance whatsoever and are also just keen to target as much data as they can and that data may be relating to individuals that may be resident in different jurisdictions. So not an uncommon issue.
The first point is really to understand actually which jurisdictions are potentially relevant though and not simply to go out and get advice from every single jurisdiction that may be relevant because that may be overkill in the circumstances. So some initial advice but then depending on the jurisdictions involved I have been part of a number of global teams internally with some of our international offices where we have helped a client respond to an incident and that may have come from North America and I am providing advice on England and Wales. or equally I may have been one going out and looking for advice from our other offices, and equally if it is in a jurisdiction where we do not have a particular office then we work with our best friends in those jurisdictions to put together a co‑ordinated response. So that was a long answer to saying "we do" and "we can".
Ben: That is great, thanks very much Helen. A question which I think maybe Grant would be well placed to have a look at, but feel free to throw it back towards me Grant if you would like. So a question from Khalid, "what input should there be from the sponsors to the trustees?"
Grant: I am really encouraged by that question as a trustee with sponsor involvement and, as with everything really, collaboration is key, so working alongside the sponsor and really helpful to understand from the sponsor who the person is on the ground to help us understand the IT and the data flow between the trustees and the company but also who the person is on the ground to go and get involved in that incident response plan as and when it happens. I think that is key.
And then obviously if there is a cyber‑event and it relates to a pension scheme and the pension scheme has got the sponsor's name in it and of course there is reputational issue as well so I think that is why it is key to have someone from the sponsor who handles media and communications in that incident response plan at some point to cover that off. And so I think to request from the sponsor really would be "let us know who your contact is and let us know if your contact changes". It is no good us having a contact and then they have moved on elsewhere or are no longer involved. And "let us know if you have a cyber‑breach as well, even if it is a suspected one". So again the trustees can start to do preparation and with regards to the data. So those are some thoughts from me, Ben.
Ben: That is really help, thanks Grant. I think it is a classic risk situation is it not, which is that "you are only as strong as your weakest link" and if the trustee processes are not strong then that is a direct concern of the sponsor because ultimately the sponsor is the funder and last resort for the pension scheme. So collaboration and working together is really important because it is in everybody's best interests there.
I have got a question here from Giles, thanks for the question Giles. This is about pensions' dashboards so something I covered off on one of the very first slides. "Will there be new risks relating to cyber from pensions' dashboards and, if so, what are they?"
I think the answer to that really Giles is that it is an exacerbation of an existing risk, it is an increase to an existing risk. The cyber threat of sharing information with dashboards is, I suppose, the risk of individuals accessing their data or accessing data that does not belong to them actually that relates to all of their pension information. So what the dashboards are, they will just be a way of you seeing all of your pensions in lots of different schemes and indeed eventually your state pension as well.
So if you are able to glean enough personal data about somebody to get hold of their records or their National Insurance number or something like that, there is a greater risk of somebody pretending to be one of your members, pretending to access their benefits and that is really, I think, the central cyber security risk that we are talking about there. I do not know, Grant you have got some schemes who are looking at dashboards, whether you have got any thoughts about the sort of increase in risk there?
Grant: I think again it is just working through those policies and procedures and on that map… cyber map assessment I talked about. There is clearly more data that is flowing around now under different people so again understanding the protections going out and beyond. But I agree I think there are new risks coming and we do not know them yet do we? Until we work through the detail and see the dashboard live. So being abreast of those, as trustees linking with our advisors on what it means really.
Ben: That is great, thanks very much Grant. Just a question from me. So I will not be anonymous, I will just ask my question so, "from your experience of dealing with schemes that have suffered a cyber‑attack, if there was one lesson that you could sort of get a time machine, go back in time to tell the trustees who have not yet suffered an attack, what would that lesson be?"
Grant: So I think for me Ben, I think it is just really make sure the time is spent understanding where the potential weaknesses are and mitigate as best as you can against those. So in that particular scenario, that was it actually, had we had worked through the detail then we might have at least spotted some actions. Would it have prevented it? Probably not, but at least you would feel comfortable that we knew where the weaknesses where and mitigated as best we could against those.
Helen: I think from my perspective I think that is a really good example of an issue that I have seen come out of responding to an attack – wishing that the plans had addressed something slightly different or had been tested, because actually when it came to it they were not perhaps as useful as was hoped.
But I think the central thing I would say, because there are very many lessons, I could talk for much longer than the time we have got in terms of things that both I and clients have learned, is that we wish it had not happened. It is a very painful experience, not just spending time with me but in terms of having to deal with the whole incident, the notifications potentially, the aftermath, the dealing with the parties – it really does take up a lot of time, effort, cost and resource and therefore prevention is cure. And therefore investing upfront and doing as much as you can to avoid an attack in the first place or mitigating the consequences I think would be the central thing that probably every client that has been through that experience would say.
Ben: that is great, thanks very much to you both. So we have got a couple of more practical questions here, one from Peter and an anonymous question but along the same theme which is, "can we get hold of the slides or a recording of this session afterwards?"
So, "yes" is the answer to that. The recording will be available to all attendees and we can email around the slides as well, so pleased to hear that people are finding it useful and obviously as has been said there by Helen and Grant, we have covered a lot of ground today. And if you need to follow up with us at all by email, please do so, please get in touch because this is an area that we are all obviously focussing on and we are happy to help with.
So all that really remains is for me to say a massive thank you to our panellists. So thank you to Helen and to Grant and to give you all five minutes back in your day by finishing on time, which I can see already, by Grant's face, has pleased him greatly. So thank you for joining us and we will see you next time. Thank you very much.