It’s time for trustees and pension managers to consider cyber as one of the biggest risks facing the security of the scheme and act accordingly.
In March, Capita suffered a cyber breach at the hands of the Black Basta ransomware group. Around 90 organisations, including pension schemes such as the USS and Axa, have reported personal information breaches.
In total, millions of pensions policyholders have been affected. Understandably, the breach may have served as a wake-up call for schemes, particularly around third-party risks.
However, it’s important that trustees recognise that cyber vulnerabilities are not confined to administrators. Schemes also need to acknowledge that attacks are increasingly inevitable in the digital world.
Roseanne Corbett, client director at Muse Advisory and outsourced pension manager says: “It’s not ‘if’ a cyber incident will occur but ‘when’. The way we need to think about cyber risk, given how challenging it is to prevent it, is to be as prepared and well-equipped as possible to respond to an attack, recover from it and be resilient in its aftermath.”
Lindsay Sadler, senior principal, governance leader at Mercer adds: “Faced with the increased risk of an incident and the potential consequences if one occurs, it’s time for trustees and pension managers to consider cyber as one of the biggest risks facing the security of the scheme and act accordingly.”
The role of trustees
The new TPR general code clarifies schemes’ roles and responsibilities when it comes to cyber risk management. It states that an effective system of governance requires measures to reduce cyber risk. It adds that functioning cyber controls will help trustees in complying with data protection legislation and may reduce liabilities in the event of a breach.
Girish Menezes, head of administration at Isio and a PASA board director says: “In the dynamic landscape of the pensions industry, ensuring robust cybersecurity practices is paramount to safeguarding sensitive financial data and securing the retirement futures of countless individuals.”
Beyond TPR’s code, schemes will also have serious responsibilities if any personal data is leaked. These require specialised knowledge to be carried out correctly.
Sadler explains: “One of the top concerns for any trustee or scheme manager should be a breach of personal data which can require the designated data protection officer to report to the Information Commissioner’s Office (ICO) and TPR. This is a complex task which requires a very clear understanding of the guidance set out by the regulator and if not handled correctly could end up causing significant damage from a financial and reputational perspective, so undergoing crisis training is crucial.”
Menezes adds that firms should consider external accreditation such as Cyber Essentials Plus, ISO 27001 and ISO 27031. This can give reassurance around both IT security and resilience.
Where to start
Cyber risk is not something that can ever be completely mitigated, but there are ways to reduce exposures. The key is to take proactive action early and start with an Incident Response Plan (IRP).
An IRP is designed as a practical guide to the actions and steps the trustee should take where an cyber incident occurs so that scheme operations can resume as swiftly as possible. It should also cover data breaches and any other material event that might affect scheme operations or the ability of the trustee to function effectively.
Corbett says that having an IRP in place is something the general code requires, but that she’s seeing schemes being proactive about implementing these on the back of the recent cyber incidents with Capita and MOVEit.
She says: “An IRP on paper though can have its limitations. Often a live scenario provides the best way of understanding how one would actually respond in practice to an incident. Role playing a couple of different incident scenarios, eg cyber attack and something operational like prolonged payment systems failure would help identify where the gaps are in the IRP. Doing so would also bring the plan to life and help with muscle memory, if and when an incident should occur.”
Sadler adds: “A good plan will set out the roles and responsibilities of the team responsible for responding to the incident as well as the practical steps to deal with impacts, including the communications strategy both internally to impacted colleagues and externally to members of the scheme.”
Human error
Trustees should note that 95% of all cyber breaches stem from human error, and therefore training staff is imperative. This should be carried out with third-party cyber experts and should be specific to the pension scheme and its own nuances, for example, which third parties it works with, whether they outsource the administration functions.
Corbett says: “Ensuring passwords are complex, not shared with others, not using personal email addresses for trustee work, not clicking on unknown links in emails. These are often simple ways hackers can infiltrate systems, sometimes without us knowing they are lurking for a long period of time.”
Menezes adds: “A multi-faceted approach is essential, beginning with a comprehensive risk assessment to identify vulnerabilities and potential threats. Implementing state-of-the-art encryption protocols, robust firewalls, and intrusion detection systems creates formidable barriers against cyber intrusions. Regular employee training and awareness programs foster a cyber-conscious culture, reducing the human factor in potential breaches. Collaborating with cybersecurity experts to stay updated on evolving threats and adopting a proactive stance in applying security patches is crucial.”
Third-parties
Clearly, third parties such as administrators present a key risk for schemes. Oversight is key but trustees need to have confidence in the information and assurances they’re being given by their providers.
If trustees aren’t asking the right questions, they cannot rely on what they’re being told. For instance, many didn’t know that their outsourced administrators were using MOVEit to transfer payroll files.
Corbett says: “GDPR requires data processing to be recorded and data mapping to be carried out, with data processor/ sub-processor contracts meeting GDPR requirements. It also requires the data controller (the trustee) to approve the usage of any sub-processors. How many schemes do this, or even can when providers use so many different sub-contractors that are potentially changing frequently as technology evolves?
“Those sub-contractors may also be sub-contracting to others… The supply chain is only as strong as its weakest link. If… outsourced providers aren’t being actively managed, it’s unlikely the right controls are in place to manage cyber risks.”
Even where there is no contractual right for the trustees to intervene, they should be proactively told about any changes, rather than just relying on a sentence in their contract that says that any sub-contracting will be the responsibility of their appointed administrator. Lack of understanding and oversight exposes trustees.
Sandler says: “A key component to protection is understanding the exposure to such third parties and then how they protect themselves against cyber risk, including their onward exposure to other parties. Due to the evolving nature of cyber threats, protecting yourself from these isn’t a ‘one and done’ exercise.”
Being proactive
The good news is that schemes that get cyber protection right will see significant benefits. These include not only reducing the likelihood of an event, but also limiting the impacts when one does occur. However, this means trustees need to be on the front foot and actively managing the risks.
As Sandler puts it: “Being proactive during a breach is critical to protecting the reputation and brand perception of not just the trustee board but also the parent company. Recent breaches have highlighted the need to understand what to do when faced with an incident and having a well prepared and tested Incident Response Plan could greatly reduce impacts of an incident.”
Menezes concludes: “By weaving cybersecurity into the very fabric of pension operations, the industry can exemplify its commitment to data integrity, earning the trust of beneficiaries and fortifying the foundation of secure retirement planning.”
Article originated in Pensions Expert
ISO News is an aggregator of global media. All the content is available free on the internet, we have just arranged it in one platform for educational purposes only. In each article, the hyperlink to the primary source is included. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – ISOnews713@gmail.com and the content will be deleted within 24 hours.
