Cybercrime is a $7 trillion global industry and cyber criminals are constantly finding new and more sophisticated ways to attack. A UK Government survey on cyber breaches in 2018 found that 43% of businesses had experienced a cyber-attack in the last 12 months – a sobering statistic. It is therefore not surprising that whenever I talk with Finance Directors, they invariably say that cybercrime is one of the key risks faced by their business. Cyber risk was also highlighted as an increasing concern by respondents to PTL’s quarterly risk survey.
So where does this leave pension schemes which, after all, are required to hold a considerable about of membership data and involve the payment and transfer of significant sums of money? Pension schemes are far from immune from the threat of cybercrime, so it’s important that trustees don’t become complacent; they need to take steps to be fully equipped to react to daily and changing threats.
Most trustee boards have considered the risk of cyber security in recent years and in line with guidance from The Pensions Regulator, we have already seen cyber risks increasingly captured within pension schemes’ risk registers. We have also seen trustees adapting over the last year to comply with the GDPR requirements that came into effect on 25 May 2018, with an annual review of GDPR arrangements built in to pension scheme annual planners.
In many cases this compliance with GDPR has already led to some significant changes in practice, such as:
- the establishment of dedicated email addresses for trustees (rather than personal email addresses),
- enhanced controls around sending and receiving important and sensitive information; for example, by secure websites and using two-factor authentication processes.
GDPR inherently places much of the focus on member data risks, whereas cyber risk considerations can be much broader. Trustees need to put in place cyber security policies and create incident response plans that are regularly tested and reviewed.
Of course trustee boards do not necessarily have the expertise required to handle these emerging cyber security considerations. So, relying on external expertise is crucial and this is an area where assistance, resources and support from the sponsoring employer can be invaluable to trustees. Sponsoring employers will already have cyber security policies and protocols in place and will have accessed external expertise where this is not available in-house.
Cyber security isn’t a 9-5 game though, so hope for the best and plan for the worst.
- Do you have a policy in place that will cater for a breach at 5pm on Friday?
- Who on the board will be the principal point of contact in this case?
- Are your administrators included within your incident response plan and are you confident they will be able to respond, as necessary?
These are all questions that your board should have answers to.
Don’t panic if you don’t know the answers yet. Even just considering these issues and having an awareness of the impact of cyber security is a good place to start.
War games and dry-run cyber-attacks, putting contingencies into practice, can also play a critical part in testing the continuing robustness of cyber security provisions and allow you to deal with these ‘worst case’ scenarios in real time.
With just a 72-hour deadline in practice to report to ICO, a quick response is essential. One year on from GDPR, cyber risks have evolved and remain prevalent. Now is the time for trustees to focus on the wider aspects of cyber security and the potential impact on schemes.
Tips for going forward…
· Preparation
· Preparation
· Preparation
Clare James, Client Director at PTL
