How Pension Schemes Can Build-In Effective Cyber Security Measures

Cyber risk is now a major threat to pension schemes as criminals target online services in search of personal data and assets. Managing this risk by building-in cyber resilience and operating internal controls are the ways in which trustees and scheme managers can keep the cybercriminals locked out and maintain the right levels of security going forward.

The Risks

The cyber risks in today’s online environment cannot be over-emphasised and the many threats to personal data and pension assets include internal risks e.g. from staff/rogue employees, external risks e.g. from hacking, increasingly popular social engineering attacks such as phishing, as well as the risk from malware and ransomware.

Responsibility

In addition to managing the business risk, pension trustees and administrators now need to ensure that they can manage the cyber risks. One risk that crosses both online and offline areas is the risk to personal data security.

Pension trustees and administrators must ensure that systems and controls are in place to ensure compliance with the General Data Protection Regulation (GDPR), workplace pension scheme rules and Financial Conduct Authority regulations for private pensions.

Breaches

In many cases, personal data breaches and cyber-incidents need to be reported to the Information Commissioner’s Office (ICO) in the UK and the appropriate pensions regulator. Under GDPR, fines for data breaches can be huge.  For example, Marriott could be facing a £99 million fine for a data breach between 2014 and 2018 that, reportedly involved up to 383 million guests, and BA (owned by IAG) could be facing a record-breaking £183 million for a breach of its data systems last year that could have affected 500,000 customers.  In fact, research, conducted by law firm DLA Piper shows that since GDPR came into force in May 2018, £100M of data protection fines have been imposed on companies and organisations across Europe.

Theft of personal data in a cyber-attack, for example, means that the incident must (under GDPR) be reported to the ICO within 72 hours and all individuals whose data has been affected must be notified. As well as causing suffering and problems to those whose data has been stolen and who are often the target of more cybercrime as their stolen data is sold (on the dark web) or passed on to other criminals, a data breach can have terrible consequences for a company’s reputation and brand, can lead to a loss of customer trust and the subsequent departure of many customers.  Also, companies face the threat of further legal action and fines and the very existence of the company can be threatened by the cumulative fallout of a data breach

How Pension Schemes Can Be Protected From Cyber Threats

Pension trustees and administrators should take steps to build cyber resilience which involves the ability to assess and minimise the risk of a cyber incident occurring, and to recover when an incident takes place.

The Pensions Regulator and the Financial Conduct Authority both provide guidance on how firms can improve their cyber resilience and help provide the right level of protection to personal data and assets. 

The Pensions Regulator, for example, offers a set of cybersecurity principles for pension schemes based around a cycle of assessing and understanding the risk, putting the right controls in place, monitoring and reporting.  These principles include:

– Ensuring that trustees and scheme managers are accountable for the security of scheme information and assets and that all third-party suppliers have put sufficient controls in place.

– Making sure that roles and responsibilities are clearly defined, assigned, and understood.

– Ensuring that the skills and expertise to understand and manage the cyber-risk in the pension scheme are present, and these risks are on the risk register and are regularly reviewed.

– Putting an incident response plan in place to deal with incidents enable the scheme to resume operations swiftly and safely. This should include having an understanding of third-party suppliers’ incident response processes.

– Being clear on how and when incidents would be reported.

Full information on these principles can be found on The Pensions Regulator website here: https://www.thepensionsregulator.gov.uk/en/document-library/regulatory-guidance/cyber-security-principles-the-pensions-regulator

FCA

The Financial Conduct Authority (FCA) has collated insights and experiences from 175 firms across different financial sectors into a publication that is designed to help prioritise efforts in increasing cyber resilience. The document can be accessed here: https://www.fca.org.uk/publication/research/cyber-security-industry-insights.pdf

Looking Ahead

It is clear that although trustees and pension scheme managers are faced with a great deal of responsibility for the personal data in their care at a time when cyber threats are greater than ever, taking a holistic view and making sure that those risks can be assessed and understood is an important step. It is also an important step in what should become a built-in, ongoing cycle of cyber risk identification, putting the right controls in place, and monitoring and reporting, thereby creating a feedback loop that allows the company/organisation to keep testing and strengthening its own cyber defences and adapting quickly to being able to deal with new and evolving threats and to recover quickly from any damage that may have been inflicted by an attack/incident.

Advice and Help

If you would like expert advice and help with cyber-security and/or IT, get in touch with https://dynacomitsupport.co.uk – leading IT support providers in Takeley, Essex.