News last week suggested that one third of UK pension schemes may have suffered a data breach or cyber-attack in the past 12 months. Also, it has emerged that over 150 data breaches relating to the pensions sector have been reported to the Information Commissioners Office (ICO) since the General Data Protection Regulation (GDPR) came into force in the UK in May 2018.
So, is there a risk that, since the rush to ensure compliance with GDPR before May 2018, pensions’ schemes have slightly taken their eye off the cyber risk ball?
Here we look at the nature of the cyber risks facing pension schemes and how trustees might look to get to grips with them.
All pensions schemes in the UK are at risk of cyber- attack, and data breaches. It’s not so much a case of “if” they will suffer a cyber attack but “when”. After all, they are an attractive target. Not only do DB and DC schemes look after billions (if not trillions) of pounds worth of assets, but schemes and their advisers hold exactly the type of personal member data (names, addresses, dates of birth, National Insurance numbers, bank account details etc) that make a hungry hacker lick their lips in anticipation.
A scheme is susceptible to cyber risk stemming from a direct breach from, or an attack on, its own IT systems, or those that it shares with the sponsoring employer. Or a service provider to the scheme could suffer a breach or an attack that affects the scheme; for example, the scheme administrator manages data or pensions payments for the scheme and their IT systems are connected and exchange information.
The scheme could then suffer very significant financial and non-financial losses because of a cyber-attack or a data breach.
Data and scheme assets could be lost or stolen, the trustees could be fined by the ICO and the scheme would incur costs responding to and recovering from the incident. The trustees then could face claims and complaints by members whose data was compromised. There is also the risk of reputational damage and future frauds perpetrated on the scheme
Trustees remain responsible, and accountable, for the cyber security of scheme information and assets even when they have outsourced day-to-day management to a third-party administrator or professional adviser. The cyber buck will very much stop with the trustees. So, they must take steps to satisfy themselves that the members and assets of the scheme are protected against cyber risk.
How can trustees manage, and do their best to avoid, cyber risk? Here are our top ten tips:
- Put cyber risk at top of the agenda for trustees’ meetings and of the risk register. It must be addressed and regularly reviewed with the same level of seriousness as issues such as scheme deficit and investment strategy.
- Does the trustee board require more regular training to keep across cyber risk issues? Lots of boards received cyber related training in the period before GDPR came into force but that may now need refreshing. As part of this, do the scheme’s cyber security controls and governance procedures require independent risk assessment and auditing?
- How secure are the laptops or PCs used by trustees, the pension’s manager, and the scheme secretary for scheme business? Is the anti-virus and malware software up to date? Are security patches and updates regularly applied? Is two-factor authentication for access in place?
- Hackers sometimes target the people who have access to key data rather than the data itself, as the people are easier targets. And cyber-attacks via phishing, malware and ransomware is increasing. So, trustees need to think about the security of the email system used for scheme and member correspondence. Is it susceptible to attacks and could electronic signatures used to transact scheme business be stolen and used to commit fraud? Does the system need a review and audit from IT consultants?
- The Pensions Regulator regards cyber security as a top priority for schemes and sets out its expectations on its web site. Trustees should keep a close eye on TPR pronouncements and guidance to ensure they are following best regulatory practice. They should also check to see what other industry bodies are saying about cyber issues and emerging issues, especially the National Cyber Security Centre.
- Trustees should closely question their professional advisers and administrators on their cyber security arrangements. What do they say about their compliance and certifications and how would they respond in the event of a cyber-attack on their systems which effected the scheme? Are they complying with acceptable cyber security standards and various ISOs? Do the trustees have a contractual right to audit third party compliance with cyber standards? Does the third party have insurance in place that would respond to a cyber-attack?
- Trustees should think about contractual provisions for cyber risk transfer and review the scheme’s third-party supply contracts and check whether the contracts have appropriate data protections and cyber security warranties, indemnities, and provisions for compensation in the scheme’s favour. If they don’t, can the contracts be re-negotiated now? Many of these supply contracts are older ones and may not even contemplate the type of cyber issues now confronting schemes in the twenty first century and will need updating.
- Insurance may offer valuable financial risk transfer to the insurance market in the event of a cyber issue. Trustees therefore need to think about the need for cyber liability insurance. Does the scheme have it, what type of losses (first and third party) does it cover, what is the limit of indemnity, what are the exclusions, are there professional advisers written into the policy who you can call upon at a time of crisis? Other insurances may come into play to cover any physical damage caused by attack for example to the scheme’s IT hardware or software.
- Maintaining a cyber-attack/data breach incident response plan that is regularly reviewed, updated and (critically) subject to dry run rehearsals is crucial. Trustees must also plan for how the scheme is going to continue to function if it is affected by a cyber incident and work with the administrators to devise that plan.
- Trustees should keep close to hand out of hours contacts for key decision makers, IT consultants and professional advisers to call upon at short notice. Remember that cyber issues almost always arise out of hours or at weekends.
This may sound daunting but many of the actions are straightforward and can be implemented quickly and relatively easily. There will inevitably be cost to the scheme, but this will be insignificant when weighed against the losses that will be suffered by a scheme that disregards the importance of cyber security. It will also allow trustees to sleep a little sounder at night in the knowledge that they have done their level best to protect their scheme from cyber risks.