Pension schemes transfer millions of pounds every month and hold sensitive and private information. This makes them a potential target for criminals who can manipulate money transactions or steal data and sell it on the dark market. Trustees and Sponsoring Employers potentially face severe reputational damage for getting it wrong. Trustee Boards and Company Directors can be sued if not enough is done to protect the scheme.
In April 2018, the Pensions Regulator released the guidance ‘Cyber security principles for pension schemes’ which defines cyber risk as follows:
‘The risk of loss, disruption or damage to a scheme or its members as a result of the failure of its information technology systems and processes. It includes risks to information (data security) as well as assets, and both internal risks (e.g. from staff) and external risks (e.g. hacking).’
The Pensions Regulator sets an expectation that Trustees are actively managing their cyber risk and notes the following:
‘The cyber risk is complex and evolving and requires a dynamic response. Your controls, processes and response plan should be regularly tested and reviewed. You should be regularly updated on cyber risks, incidents and controls, and seek appropriate information and guidance on threats.’
Unfortunately due to the everchanging nature of cyber crime no one consistent approach will ultimately prevent attacks. Therefore the focus is on finding a balance between the degrees of cyber security protection and cost.
To help understand whether you have the right balance, check you can answer the following 7 key questions:
1. Are you aware of your responsibilities and liabilities?
The Pensions Regulator has released guidance setting out their expectation for trustees but there are also other regulatory and governmental bodies such as the Information Commissioners Office, Data Protection Act, General Protection Data Regulation and many more, that will provide further guidance and requirements. In the event of a breach it is vital for Trustees to ensure that they have complied with all the various requirements.
2. Do you have an agreed definition of risk appetite and tolerance?
Trustees need to have determined the amount of risk they are willing to accept in relation to cyber security. This understanding will allow you to begin planning what your protection looks like. You must be confident that the minimum amount of controls and processes are in place to reflect your agreed risk appetite, and to be able to defend these actions and report back to members in the event of a breach.
3. What are your most valuable information assets?
Cyber criminals are not necessarily targeting the financial assets held by the fund but a wide variety of information. The EY Global Information Security Survey (GISS) 2018-19, a survey of over 1,400 CIO, CISOs and other executives across the globe on the most important cybersecurity issues facing organizations today, shows customer information was the most valuable information to cyber criminals followed by financial information and strategic plans. Your scheme may hold confidential information on both your members and your sponsor.
Top 10 most valuable information to cyber criminals
1. Customer information
2. Financial information
3. Strategic plans
4. Board member information
5. Customer passwords
6. R&D information
7. M&A information
8. Intellectual property
9. Non-patented IP
10. Supplier information
4. Where are your most obvious cybersecurity weaknesses?
Pension schemes hold and regularly transfer significant volumes of member information and interact with a large number of stakeholders. Due to high dependency on 3rd parties for transferring money, hosting data, and any other services, third party risk needs to be managed with the right contracts, technical controls and insurance. You will need to be confident of security across all areas where members’ information is held including the security of those third party vendors.
5. What are the threats you are facing?
The GISS highlights that most successful cyber breaches contain ‘phishing’ and/or ‘malware’ as starting points. Attacks focused on disruption rank in third place on the list, followed by attacks with a focus on stealing money. Although there has been quite a lot of discussion about insider threats and statesponsored attacks, these are considered a lower threat.
Top 10 biggest cyber threats to organisations
3. Cyberattacks (to disrupt)
4. Cyberattacks (to steal money)
6. Cyberattacks (to steal IP)
8. Internal attacks
9. Natural disasters
6. Have you already been breached or compromised?
Many organisations are unclear about whether they are successfully identifying breaches and incidents. Our survey showed, among organisations that have been hit by an incident over the past year, less than a third say the compromise was discovered by their security centre. Pension schemes should be regularly reviewing their detection protocols to ensure they remain secure and in the event of a breach have a well defined incident response plan, that is exercised and kept up to date.
7. How does your protection compare with other pensions schemes and industry expectations?
Pension schemes across the UK will all be facing the same difficulties on deciding what level of protection is appropriate to protect members interests. You should seek to understand how your scheme compares to the wider market on cyber spend and protection.
In summary, Trustees should have an understanding of where their cyber risk exposure is and establish a plan on what needs to be addressed to ensure members’ information is adequately protected. Although no amount of protection will completely prevent a breach from occurring, Trustees need to ensure that a reasonable minimum level of protection is in place and processes are operating as expected.
Associate Partner, Pensions &
Partner, Cyber Security