Cyber crime is on the rise, with the National Fraud Intelligence Bureau reporting that the UK lost in the region of £2.4 billion to fraud and cyber crime in 2021. The ever-evolving capabilities of technology, combined with a pandemic which has likely exacerbated existing weaknesses in systems and processes, mean that cyber security should be an area of concern for all businesses.
Pension schemes, by their nature, hold large volumes of member personal data and this makes them a common target for cyber criminals. This data is often held on behalf of the scheme by a third party administrator, rather than under the direct control of the scheme. Accordingly, pension scheme trustees need to be alert to the need for cyber security measures and should take active steps to prevent and mitigate the risk to their scheme and its members. We set out below some of the key considerations and actions for pension scheme trustees, and what Brodies can do to help.
What do we mean by 'cyber risk'?
While many people are familiar with the obligations in relation to data security and the concept of a personal data breach under data protection law, cyber risk is a much broader concept. Cyber risk is the risk to an organisation's IT systems and data as a whole, whether or not personal data is involved. Cyber risk might mean the loss or destruction of or unauthorised access to data (including personal data) or an attack that compromises access to or use of a system.
While organisations often focus on the former, an attack on a key system can be equally damaging.
Common types of cyber attack for pension schemes to be aware of
Cyber attacks can take a number of forms, including:
- Ransomware attacks – where systems or data are encrypted by the attacker to force payment of a ransom
- Data theft – where data is subject to unauthorised access, for example, by exploiting an unpatched vulnerability in a system and taking a copy
- Cyber theft and fraud – where data is used to for identity theft or to fraud
- Distributed denial of service – where a system or website is subject to a sustained attack which stops it being used.
Attacks can come from a number of angles. An organisation may be specifically targeted by a third party or by a rogue employee looking to cause damage or disruption, or may take the form of an opportunist "drive by" attack by someone seeking to exploit a vulnerability. Attacks might exploit known vulnerabilities (for example, a failure to apply a patch or update to a known issue), be a "zero day" attack (exploiting a vulnerability that was previously unknown), or an insider threat from someone using legitimate system access for unauthorised purposes.
What are the possible consequences of a cyber attack for pension schemes?
The implications of a cyber attack on a pension scheme could be far reaching.
Inevitably, there are reputational risks (for both the scheme and its sponsoring employer) to consider as well as business continuity considerations – if a scheme suffers a cyber attack, trustees and scheme administrators may find that member data is compromised. If member data can't then be accessed, the scheme can't function and pension scheme trustees could face compensation claims from affected members and be liable to meet the costs of clean-up.
Trustees must also consider the implications of failing to meet regulatory obligations. There are a host of requirements under data protection legislation in relation to both data security and the use of third party processors. If these are not complied with, action could be taken by regulatory authorities such as the Information Commissioner's Office, and significant financial penalties could be imposed. For example, British Airways was fined £20 million in October 2020 for failing to implement adequate security measures to protect the personal and financial details of its customers, following over 400,000 of them being affected by a cyber attack in 2018.
In terms of pension-specific regulation, the Pensions Act 2004 requires pension scheme trustees to establish and operate adequate internal controls. The Pensions Regulator (TPR) also has extensive guidance on cyber security, including a code on internal controls, and a set of cyber security principles. TPR's focus on this is only set to get sharper, with new guidance on cyber security likely to be brought into force under its forthcoming single code of practice, a draft of which was published in 2021.
What mitigatory steps should pension scheme trustees be taking?
Even where the daily functions of running a pension scheme are delegated or outsourced, its trustees still have the ultimate responsibility for compliance with regulatory requirements, including protecting scheme data and assets from cyber attacks. So how can they comply with these duties?
- Trustees should, in the first instance, ensure they have identified, understood and analysed the risks their scheme faces from a cyber security perspective. Cyber risk should form part of any regular risk assessment or risk register undertaken as part of the scheme's administration. Schemes may wish to consider appointing one trustee to take primary responsibility for thinking about cyber risk
- Controls should be in place to mitigate against the risk and consequences of cyber attack, such as use of up to date anti-virus software, ensuring systems are regularly patched and updated, secure devices and email domains and data back-ups. Trustees should also maintain a data breach log and ensure it is regularly reviewed.
- There should be comprehensive policies in place around any areas which have implications for cyber security, including data protection, social media, and home working.
- Robust governance structures should be in place, and trustee knowledge and understanding kept up to date. Trustees should know their duties in respect of cyber security, and have a cyber incident response plan at their disposal which they can turn to in the event of a cyber attack. This should identify an incident response team, including professional advisors (legal, forensic IT, and reputation management) and appropriate representatives from the scheme's key service providers. The plan will need to be implemented quickly in the event of an incident. How will this be done?
- Trustees should consider and assess their relationship with any external parties in connection with scheme business, such as providers of scheme administration services, and providers of IT systems and other services (for example, print and fulfilment or handling payments). This includes appropriate diligence to assess the third party's information security measures and vulnerability to cyber attacks and internal processes for managing this, and how such an event would impact the scheme. Trustees should review any third party contracts to identify any weaknesses and negotiate protections as necessary. Trustees should also ensure that the contracts they have in place with processors comply with the requirements of data protection law and that procedures are in place to ensure that the processor is complying with its obligations.
- Business continuity and cyber incident response plans should be tested on a regular basis, to ensure that these are effective. Lessons learned should be incorporated into updates to the plans and procedures.
Trustees should also understand what insurance cover they have in place (including specialist cyber insurance), to meet any costs associated with a cyber attack.
What can Brodies do to help?
Our leading teams in Pensions and IP, Technology and Data, have plenty of experience in advising pension scheme trustees both in implementing measures to mitigate the risk of cyber attacks, and providing assistance in the event of a cyber incident occurring.
If you would like to find out more about anything discussed in blog, please get in touch with your usual Brodies contact.