Recent publicised breaches have highlighted to criminal organisations the value of the data which is held by pension schemes across the UK. This has certainly increased the risk to the pensions industry as criminals look to extract even more data from schemes and build on previous successes.
Whenever I talk to Trustees regarding cyber security, I reinforce the point that you need to plan for when and not if a cyber security breach occurs within your scheme. One of the best ways that boards can prepare themselves and their schemes is to run simulated “cyber warfare” sessions. During these sessions you will walk through a simulated cyber security breach and familiarise yourself with your processes, the questions you should be asking and prepare yourself for when the worst happens. This familiarity can better equip you to mitigate the impact to your scheme in a real-life breach.
Trustees need to ensure that they have a robust cyber security framework covering policy, supplier management, training and incident management. Regarding the recent breach the regulator has said “This incident shows the importance of having a robust cyber security and business continuity plan in place. Make sure you have read the cyber security guidance and check that your own plans are up to date. We may engage with you further to understand the steps you have taken and what progress you have made.”
As a Trustee if you are just starting your cyber security framework and do not know where to start then a good first place is to make sure you are on top of your supply chain. Although you are ultimately accountable for the security of information within your scheme, given that your data is most likely held by a third party it stands to reason that your biggest risk is within those organisations that legitimately store and process your data. Recent statistics released by the ICO (Information Commissioners Office) show that over 80% of reported breaches involved human error on behalf of individuals who had legitimate access to the data. Cyber Security management of your supply chain can build on work you have already undertaken for GDPR, and it is likely that the same suppliers will fall into scope.
It is also important to remember that your own cyber hygiene is important, and you yourself are a target. Make sure that where possible:
- That you do not use the same password for multiple systems/organisations. If an attacker compromises one then they get access to all of your accounts!
- For anything important ensure that you have enabled multi-factor authentication (also called two-factor authentication / 2FA). This is a system that sends you a code to login or a prompt to your phone.
- Make sure your devices and software are up to date. When your computer is nagging you to restart to install updates it is important.
- Always be suspicious of emails, especially if you were not expecting them. It takes minutes to contact someone and confirm the email is legitimate (though best to contact via a different medium other than email) and much longer to recover from an attack.
- Be aware that not all phishing attempts ask you to open an attachment or click a link. Sometimes the attack comes in the second or third email. That said, be especially suspicious about attachments and links in emails and if in doubt go directly rather than via a link.
- You can get advice from the NCSC on more ways to stay safe at https://www.ncsc.gov.uk/cyberaware/home.
Chris Heirene, Partner and Head of IT at Quantum Advisory LLP
