Whilst there are no explicit legislative provisions on pension schemes and cyber security; i.e. there is no such thing as the Occupational Pension Schemes (Prevention of Threats to Cyber Security) Regulations, the Pensions Regulator has nevertheless stated that trustees should consider it a “key risk”.
This is hardly a revelation given the quantity of personal data held by those involved in running pension schemes, including (but not limited to)
- Members names, addresses, ages, earnings and marital status
- Contribution details
- Bank account information
Sensitive information, such as medical reports and pension scheme members’ sexual orientation, may be processed too.
It should come as no surprise then that the Regulator also said that trust based schemes and the third party administrators looking after them on a day to day basis could be doing more to address cyber security risks.
- What are the risks?
- Who is responsible for preventing them?
- What more should they be doing to protect pension schemes and their members?
Pension schemes hold vast amounts of personal data and financial information, which cyber-criminals would love to get their hands on.
Combine this with the volume of media reports on hacking attacks (e.g. last year’s Tesco Bank hack, where the company reported a £2.5m loss) and, whilst pension schemes have not yet been the subject of a reported successful high profile attack, it is easy to see why cyber risk is a hot topic.
Moreover, it is an area trustees should be taking very seriously. ActionFraud estimate that 70% of fraud is cyber-enabled.
For pension schemes, cyber risks encompass but are not limited to:
- Hacking attacks against the scheme
- Loss of laptops containing personal data
- Computer viruses
- Phishing (emails purporting to be from reputable companies that induce individuals to reveal personal information).
In the event of one or more of these risks materialising, the damage to the pension scheme could include all of the following consequences –
In short, in terms of ‘time and money’, the damage could be significant.
THE TRUSTEES ROLE
Notwithstanding the opening comment about lack of explicit regulation on pension schemes and cyber security, trustees do have legal duties that are connected to it. In particular:
- Data Protection. Trustees, as data controllers, must comply with the Data Protection Act and its eight principles. They must make sure that personal information is:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Accurate and up to date
- Not kept for longer than is necessary
- Processed in line with individuals rights
- Not transferred to other countries without adequate protections.
The eighth principle is particularly relevant where there is ‘offshoring’ of pension scheme administration.
- GDPR. The new General Data Protection Regulation, to be implemented in the UK in 2018, notwithstanding ‘Brexit’, will strengthen enforcement.
According to Government’s just published Cyber Security Regulation and Incentives Review, “the approach the UK takes to implementing the GDPR presents an opportunity to incentivise significant improvements in cyber risk management”.
- Internal Controls. Under the Pensions Act 2004, trustees must establish and operate internal controls to help them monitor the management and administration of their schemes.
Internal controls also improve the safe custody of assets and help protect the scheme from adverse risks.
Of course, trustees do not operate in a vacuum and many outsource the day to day administration of their schemes to third parties.
WHAT THEN SHOULD THEY EXPECT OF SERVICE PROVIDERS?
Trustees can reasonably expect that their service providers have adopted steps to clarify responsibilities and, where appropriate, mitigate the risks associated with cyber security and, crucially, be able to evidence the steps they have taken.
For example, at JLT:
- Our contracts with pension scheme trustees and employers clearly allocate accountability for cyber security risks and responsibility for management and oversight of personal and financial information.
- We have a formal and documented cyber resilience strategy, which embraces various information security management standards (IS027001/2, 27005, 27015, 27035, PCI-DSS 3.1, NIST, CIS20) and HM Government Cyber Essentials.
- Our risk controls include:
- Regular monitoring and testing of systems
- Senior individuals within the organisation having responsibility for cyber security
- A 24/7 IT incident management process
- Rules for reporting incidents to clients and regulators
- Vetting of staff upon recruitment and regular training on information security thereafter
- Prohibiting access to personal e-mail and social media
- Requiring encryption of portable media, such as laptops and memory sticks
- Data Loss Prevention (DLP) software to help reduce the risk of data leakage
- Cyber insurance.
Trustees should seek similar assurances to those above from their other service providers.
In addition, consideration should be given to –
- Implementing a security policy
- Adding cyber security to risk registers
- Communicating with and reassuring members about cyber risks
- In case the worst happens, having a communication protocol in place (including designated spokesperson and pre-prepared statements)
- Reviewing whether cyber security is covered in any insurance policies.
Effective cyber security requires IT technical controls, process and policy safeguards and, importantly, a human element (behavioural checks and clear expectations of employees). It is an enterprise issue that requires a co-ordinated approach and response.
In terms of developing all of this into a strategy for the mitigation of cyber risk, a useful starting point is the scheme risk management cycle in the Pension Regulator’s Internal Controls Code of Practice:
Our colleagues in JLT Specialty have a Cyber Risks team who work with a variety of specialist insurers to offer bespoke solutions to fit specific threats and needs. Read their latest Cyber Risk and Insurance News here.
John W. Wilson LLB(Hons) FPMI ACII, Head of Research| Email: firstname.lastname@example.org