Over recent years we have seen that pension schemes and their supply chains are vulnerable to cyber-attacks. The reasons for this, and the serious consequences of a cyber security breach for a pension scheme, are evident from the Pension Regulator's Regulatory Intervention Report of February 2024 into the Capita cyber security incident. Cyber criminals' growing interest in pension schemes has resulted in more demanding expectations from the Pensions Regulator and the Information Commissioner in respect of pension scheme cyber security. In this briefing we look again at:
- Why pension schemes are particularly exposed.
- The regulatory landscape (for more detail on these aspects and an explanation of the sources of cyber threats see our publication Cybersecurity for pension schemes – where are we now?).
- Technical and practical ways that pensions schemes can plan and respond to incidents.
Content
- What does cyber risk mean for pension schemes?
- Why are pension schemes, trustees and their suppliers attractive to potential cyber criminals?
- How do cyber criminals attack pension schemes, trustees and their suppliers and what is the impact?
- What are the Pension Regulator's expectations?
- What are the ICO's expectations?
- Regulatory Priorities: ICO and TPR?
- Key takeaways
- Getting Help
What does cyber risk mean for pension schemes?
The Pensions Regulator defines cyber risk as the 'risk of loss disruption or damage to a scheme or its members associated with using information technology'. This means not only the technology itself but also the people using it and the processes supporting it. It is clear therefore that pension schemes are expected to understand, assess and manage the level of risks to which they are exposed.
Why are pension schemes, trustees and their suppliers attractive to potential cyber criminals?
Pension schemes, trustees and their suppliers are attractive targets to cyber criminals because:
- Trustees control (usually indirectly) rich levels of personal data and will typically have a highly complex and multi layered set of processes to manage trustee assets in order to deliver scheme benefits to their ultimate end-users - the scheme members. This data can easily be monetised or weaponised against trustees or scheme members (through the threat of misuse).
- Trustees are inherently reliant on a number of different service providers, including the administrators, asset managers, payroll providers etc. in order to fulfil their legal duties and ultimately, their obligations to members. This means trustees' defences against cyber risk are only as strong as the weakest link in their supply chain.
How do cyber criminals attack pension schemes, trustees and their suppliers and what is the impact?
In the pension scheme context, a cyber incident will typically (but by no means only) involve:
- Hackers gaining access to computer systems (usually a scheme administrator or other supplier) and exfiltrating data.
- Introduction of 'ransomware' - encryption of systems via malware, which can only be unlocked upon payment of ransom.
- Phishing attacks (usually in response to phishing) where data processors may be tricked into releasing data.
Consequences of a cyber attack can range from direct theft of pension scheme assets, the threat of theft (of data or assets) or disruption in payment of benefits (and members suffering exposure to risks of identity theft). Cyber incidents can therefore have devastating consequences not only for scheme members but also for trustees and their suppliers from a financial, legal and reputational perspective.
This underlines the need for trustees to be vigilant and to seek to understand the cyber risks to which they may be exposed and reinforces why the implementation of appropriate and proportionate cyber security measures to mitigate against the risks is now an expected and key feature of any defences to regulatory enforcement action.
What are the Pension Regulator's expectations?
The Pensions Act 2004 requires trustees to have in place and operate an effective system of governance and internal controls, specifically including cyber controls. The Pension Regulator has set out Cyber Controls in its General Code these are effectively its key expectations for trustees for assessing and managing cyber risk. By way of example, it requires trustees to have a knowledge and understanding of cyber risk, to recognise the need for confidentiality, integrity and systems for processing personal data; to have clearly defined roles and responsibilities to identify cyber risks and incidents; and assess the vulnerability of the scheme's functions (among other expectations).
Trustees should familiarise themselves with the Pensions Regulator's expectations and consider implementing cyber security policies to adhere to them. Overall, the Pensions Regulator expects trustees to consider:
- How cyber controls interface with IT systems, continuity planning, and governance systems.
- How suppliers meet the expectations that trustees must meet.
This latter point has come into focus recently with its publication of revised guidance for trustees in December 2023 (The Pensions Regulator's Cyber Security Principles) and its report into the Capita cyber incident. The revised guidance sets out what trustees should do in terms of ensuring controls are in place, how they work with third party suppliers to minimise risk and how they should respond to and report incidents. Key points from this guidance and the Capita report are factored into our key takeaways below.
What are the ICO's expectations?
Taking from the example from the ICO's involvement in high profile cases the ICO's expectations of pension scheme trustees are:
- The implementation of appropriate technical and organisational measures to protect personal data, having regard to the "state of the art" and the costs of implementation when deciding what measures to take. If pension scheme internal controls are properly implemented and complied with then this will go some way to demonstrate that the ICO's expectations have also been met.
- The notification to the ICO within 72 hours of becoming aware of a personal data breach unless it is unlikely to pose a risk to people's rights and freedoms (where reporting may be needed to be made sooner). A report does not need to set out all the facts and what is reported and when is a matter of judgement on which advice can be sought.
- Cooperation between data controllers and data processors to ensure that data subjects that require notification are informed 'without undue delay'.
Regulatory Priorities: ICO and TPR?
The ICO and TPR have different regulatory priorities in a cyber context. Trustees may want to keep this front of mind when dealing with either regulator in the context of a cyber incident.
ICO
- The ICO's primary focus is to ensure the rights and freedoms of individuals are protected – this is their 'north star' and guides their enforcement approach.
- Following a notification, or awareness of an incident – the ICO will consider whether to launch an investigation. The focus will be on whether the entity in question had, 'appropriate' technical and organisational measures in place, to protect personal data. These measures need to be commensurate to the risks posed. This is called the 'security principle' and applies to both data controllers as well as data processors.
- Given the increase in cyber incidents the ICO has moved towards closing their files for 'smaller breaches' relatively quickly – sometimes within a matter of days. However, some organisations undergo years of regulatory investigations, occasionally resulting in large fines.
TPR
- TPR is focused on ensuring employers, trustees, pensions specialists and business advisers can fulfil their duties to scheme members.
- In a cyber incident context – key focuses include ensuring pensions and other beneficiaries are paid on time.
- TPR is also focused on ensuring the administrative services experiencing disruption are returned to normal – as soon as possible. It is important that business continuity planning and disaster recovery processes are well rehearsed to mitigate the risk here. This is something TPR is focusing on more and more.
Key takeaways
While cyber security is a relatively new and fast-moving area of concern for trustees it is one that can be approached appropriately and proportionately and managed in stages. We set out below the key aways that trustees may wish to consider.
- Education - Trustees are responsible for pension scheme governance (including cyber risk) and protecting members. They are expected to have relevant education and skills to understand cyber risk and may wish to seek training relevant to their role (and engage with expertise (from the employer or external experts) as necessary).
- Monitoring - Trustees may wish to put in place policies, controls and procedures to monitor, register and report cyber risk. The Pensions Regulator suggests policies should be reviewed regularly, at least annually and more frequently if there are substantial changes to your scheme's operations (for example, a new IT system or a change of administrator). Having policies and reviewing them will help demonstrate that trustees have fulfilled their governance obligations.
- Data mapping - Trustees may want to think about how data flows from the scheme between its suppliers and third parties and look carefully at their supplier terms. They may want to understand who is processing scheme data, and have contractual requirements or standards as to how data is held, for how long and how it will be protected. Preparing a scheme data flow map and a supplier key terms schedule are useful tools to demonstrate knowledge, understanding of key vulnerabilities, and risk and governance.
- Incident response planning - In terms of incident response, pension schemes should think ahead, have in place incident response teams and plans, and road test them. While it will be virtually impossible for trustees to consider and plan for every eventuality plans as a minimum should cover continuity of key functions (including for the payment of benefits and member communication systems). Recent incidents have shown that the Pensions Regulator may intervene to ensure that critical services such as the payment of pensions are not interrupted before ensuring that other administrative services are normalised.
- Impact mitigation - Investigations will often require quick identification of any data exfiltrated and assessment as to how the breach can be isolated to minimise member and scheme impact. Incident response plans should therefore cover internal and external information sharing protocols, escalation and reporting as well as the involvement of IT and cybercrime specialists, legal advisers and PR representatives, and consider how members, if adversely affected, are redressed.
- Dealing with Regulators - When and before communicating with members, trustees may want to consider if ICO reporting requirements are triggered and where necessary take legal advice. Reporting to the Pensions Regulator does not replace trustees existing legal requirements, to report breaches of law to it or to investigate and report personal data breaches to the ICO without undue delay (if it meets the threshold for reporting) and within 72 hours. Where reporting is required, the Pensions Regulator expects trustees to engage with employers, administrators and service providers to understand how the scheme and members are affected. It has asked, on a voluntary basis, for cyber breaches that are "materially significant" to be reported to it as soon as reasonably practicable.
- Member Communications - Whether or not a regulatory report is required, we recommend trustees consider member communications. The Pension Regulator recommends trustees are open and transparent so that members, as the data subjects, are aware of the security and potential misuse of their personal data. Trustees should also consider directing them to the National Cyber Security Centre (NCSC) guidance for individuals on data breaches and schemes can also contact the NCSC for support.
- Insurance - Trustees may want to look at the insurance cover the pension scheme has in place in relation to cyber security risk and renew or extend cover as appropriate. If the pension scheme does not have cyber security risk insurance in place, the trustees should consider whether it is appropriate for the pension scheme.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.