Pensions and cyber risk have become a topical issue following the Capita cyber incident and it seems that barely a week goes by without a new story showing the increased incidence of cyber risk.
However, cyber risk is nothing new. The Pensions Regulator has been providing guidance to Trustees on building cyber resilience for nearly four years now, though not all schemes have reacted to that in the way the Pensions Regulator would have liked.
Pension schemes are obvious cyber-attack targets. They are increasingly reliant on online services, and, from the Pensions Regulator’s perspective, many are under-prepared, which adds to the risk.
Data security has been considered by schemes for a long time – particularly so since GDPR – but cyber risk is more far-reaching than data security. It goes to wider systems – and the availability of systems – covering not just member data but also assets held by schemes.
A lack of engagement to date by a number of schemes on dealing with cyber risk has led to enhanced governance requirements from the Pensions Regulator in the new General Code and the updated Guidance for Trustees on cyber security (issued in December 2023).
Cyber threats
When considering the main types of cyber threats, it’s less likely that the scheme itself, or Trustees, would be attacked, but the scheme instead being impacted. For example, an attack on a third-party provider or the sponsoring employer’s systems which are used by the scheme.
Ransomware, which is a form of malware, and data theft are perhaps the most prevalent cyber threats. Ransomware involves cyber criminals encrypting the target data, disabling access to the related systems, and demanding a ransom in exchange for unlocking the systems.
All of this could have the effect of:
- members not being paid benefits;
- members not being able to access benefits when they become due;
- members being unable to change investment choices; or
- employer contributions not being able to be received.
Trustee legal framework
In terms of the legal framework under which cyber risk sits, we have a number of different areas to consider.
The data protection laws and the Trustees’ obligations under them as a data controller will be relevant. As data controllers, Trustees are responsible for the core legal principles under UK GDPR.
These principles include ensuring the appropriate security of personal data and protection, which extends to responsibility where data processors – such as administrators – are used.
As data controllers, Trustees need to implement appropriate technical and organisational measures to ensure appropriate security for the personal data they process, and this includes protection against unlawful processing.
They are also required to have clearly documented policies and are subject to ongoing accountability, which requires Trustees to be proactive rather than reactive.
All of this means that there could be scrutiny placed on data protection if something goes wrong.
Alongside the UK GDPR, we have the Pensions Act 2004 which now provides for Trustees – with some exceptions – to establish and operate an effective system of governance, including internal controls proportionate to the scheme concerned. The Pensions Regulator explicitly states in the cyber module to the General Code that these controls need to include measures to manage cyber risk, thus building in cyber resilience as part of an effective system of governance.
And of course alongside this there is the wider fiduciary role of Trustees, which must include protecting against cyber risk as part of proper scheme management and payment of benefits.
Building cyber resilience
The Pensions Regulator’s guidance on cyber security sets out good practice processes to help Trustees tackle cyber risk and build resilience, seeing cyber risk as part of the risk assessment cycle. Some key guidance points are:
- having clear roles and responsibilities between those involved in cyber resilience, which can be documented in the Trustees’ cyber policies;
- cyber should be on the Risk Register and regularly reviewed;
- Trustee training has a central role in ensuring knowledge and understanding is up to date on risks and the likelihood of attack, as well as practical measures to deal with risk;
- agreement on an incident response plan; and
- involving expertise where necessary.
This sits alongside the Pensions Regulator’s expectations in the General Code which specifically refer to the Trustees having cyber related policies in place, dealing with:
- breach reporting;
- incident response; and
- policies in line with data protection laws.
Having these policies in place is not something all schemes have, which is part of the reason the Pensions Regulator is emphasising the need for these in the General Code.
Third party providers
A key priority to reduce risks is to assess third party providers – most notably the administrator – to evaluate if they meet best practice cyber security standards. Providers can be asked about the cyber controls they have in place in new appointments, but there will of course be providers who have been in place for a longer period of time and haven’t been asked about these.
Questionnaires are a typical part of this process, with a focus on administrators who are involved in more transactions and interactions with scheme data.
The General Code will have expectations on the Trustees to satisfy themselves on the controls the providers have in place.
Dealing with a breach
That takes us to dealing with a cyber breach. This is where the incident response plan will come into play on the steps to be taken by the dedicated response team. A key aspect will be regulatory reporting to the Information Commissioner’s Office and potentially member notification where there is a data breach.
Not every breach will need to be reported – each must be assessed over what is a reportable breach and what is a non-reportable breach.
Breach reporting to the Pensions Regulator may also be required. Primarily this will rest under the whistle blowing requirements of the Pensions Act 2004 and occur when there is a reasonable cause to believe that a legal duty relating to the administration of the scheme has not been complied with and that non-compliance is likely to be of material significance to the Pensions Regulator. For example, an inability to pay pensions because systems are impaired by a cyber-attack could trigger reporting.
In its guidance on cyber security, the Pensions Regulator goes further, asking schemes and advisers to report significant cyber incidents on a voluntary basis.
Some final thoughts
We have seen a huge increase in the use of technology to administer schemes. Not all, but many schemes are under-prepared – hence the increased Pensions Regulator focus.
The Pensions Regulator has taken the opportunity in light of the Capita incident to reinforce its messages on cyber risk. This further adds to Trustees reflecting on their position, whether impacted by the incident or not, with the obvious place to look at this as part of General Code compliance projects.
The legal and regulatory requirements are in different places and Trustees need to be aware of them, even though they don't hang perfectly together.
At the end of the day, it may not be possible to prevent a cyber-attack, but there are actions Trustees can make to demonstrate the steps taken in managing cyber risk and how they have dealt with it.