Is your scheme cyber secure?

I was reading a report recently which stated that, along with the rise in internet usage due to the Covid-19 pandemic, cyber security incidents have increased exponentially. Since the beginning of 2020, there have been more than 445 million cyberattacks reported, which is double the 2019 figure.

This is a worrying statistic. For all of us who are trustees of pension schemes, it brings home the need to ensure we have robust Cyber and Information Security Policies in place for each of our schemes and that such policies should be regularly reviewed.

Pension schemes are a source for large quantities of data and assets, which makes them prime targets for fraudsters and criminals.

Guidance published by The Pensions Regulator highlights that all ‘pension scheme trustees need to take active steps to protect members and assets against cyber risk’. In addition, the Pensions Administration Standards Association (PASA) recommends that trustees prepare for when a cyber security incident occurs rather than if.

Clearly, it is not possible to remove all risks of a cyber security incident happening. However, I have set out below the recommended steps I believe all pension scheme trustees should consider taking now to significantly reduce the risks.

Ensure an initial risk assessment is carried out

As an initial step, review your current security levels and consider whether there are any weak links in your processes. For example, do the trustees have secure email addresses and secure devices on which they access scheme data? Also, do they have the facility to send confidential information or data securely to recipients?

Is it possible to share trustee meeting packs online, instead of posting them out?

Ensure an incident response plan is in place

It is vital that, in the event of a cyber security attack, the trustees know what steps they would take to deal with it. All remedial actions and decisions would need to be mobilised as quickly as possible. Therefore, it is very important to have a robust response plan in place which details what actions would need to be taken and which personnel would be responsible for taking key decisions.

Review the cyber security policies of the scheme’s advisers/suppliers

It is important to fully engage with all of the scheme’s third-party suppliers, such as administrators and investment managers, to fully understand what they would do if a cyber security attack were to take place that affected your scheme. They should also have an incident response plan of their own.

In addition, the trustees should review on a regular basis the contracts for third-party suppliers to establish where responsibility for a cyber security breach lies. If this is not covered in the contract, the trustees should consider an amendment to ensure full coverage.

Monitor cyber risk

The trustees should ensure their scheme’s cyber risks are regularly reviewed/assessed and include this as a standing item on their meeting agenda, as well as being recorded in the scheme’s risk register.

Conduct cyber security training

It is important that the trustees receive regular training on identifying the warning signs of cyber security scams and common preventative measures.

Fail to prepare …

Unfortunately, cyber attacks are not going to go away – they are much more likely to increase in frequency. Trustees who ignore the dangers do so at their peril, and at risk to their members. We must all give a great deal more focus to protecting our schemes from cyber attacks throughout 2021 and onwards, especially as conducting pension scheme business electronically becomes the new norm!