2023 saw the first major cyber-attack of a large pension administrator in the UK. Its impact was felt across the industry, from those pension schemes directly affected and who incurred significant governance time and cost to take steps to contain the risk to members' benefits and sensitive information, to those pension schemes not directly impacted however, who were encouraged to review and strengthen their approach to cyber education and defences.

As a result, cyber risk is now being recognised as one of the top risks that a pension scheme is exposed to, and for some well-funded or bought-in schemes it may be at the very top of the list.

In this article, we look at some of the critical questions pension trustees, corporates and members should be addressing as a priority, and how cyber professionals, WTW amongst them, can help.

Key questions

Trustees, corporates and members can all be asking themselves important questions in respect of cyber risk; please see some examples below. What's notable is that in addition to reinforcing the defences to reduce the likelihood of a cyber attack, further steps are often needed to manage the consequences of a successful cyber attack.

Trustees

  • If a cyber attack were to disrupt your administration services, how would you pay members their pensions?
  • Can you show regulators what you're doing to manage cyber risk and demonstrate your adherence with evidence?
  • Have you considered how you would tell elderly members that their data has been stolen by hackers, and help them manage the consequences?
Corporates
  • If a cyber attack were to occur, do you know what your liabilities are?
  • Cyber attacks often end up in the press, are you prepared to respond to and shape the narrative in the widespread reporting that is likely to follow?
Members
  • Can you financially cope if your pension was suspended for three (or more) months due to a cyber-attack?
  • Are you sensitive to the reality that pensioners are considered a highly attractive target for cyber criminals?


Pension scheme cyber risk examples

A looming reality

Cyber attacks are happening now. Sadly, there is almost nothing you can do to stop these attacks; of course, you can put controls and processes in place to reduce the risk, but a capable and motivated threat actor is likely to be able to find a way of getting in. So, a helpful (if unsettling) perspective to inhabit for the purposes of establishing your governance, risk and readiness approach to cyber is that of it being a case of 'when', not 'if', it happens to your scheme.

Cyber-attacks can be nasty, with response and recovery a roller-coaster of emotions that will impact all individuals responsible for the delivery and management of a pension scheme. Stakeholders are likely to experience confusion, pressure and anger, and are likely to be forced to make decisions with incomplete information and a lot of unknowns. Therefore it's important to know in advance from where you will be able to access professional support.

Awareness and preparation

We've painted a grim picture here; but it's not a hopeless one. There are absolutely steps trustees can take to set themselves up to be able to respond to an incident better and recover from it faster. These boil down to two key themes: awareness and preparation.

Cyber awareness

We should build an awareness of the data we hold, the systems we use and the risks facing our scheme, our suppliers and our members in a cyber context. With this knowledge we can take steps to build a response strategy that supports in reducing and managing these risks. This goes hand in hand with the second point: preparation.

Cyber preparation

In preparing for a cyber attack, schemes and companies should have established processes that will swing into action and be confident that those processes are sufficiently robust. A cyber incident response plan, which is specific to your scheme, will support you in ensuring that your response effort is understood, controlled and proportionate. Then working through a realistic and well-planned cyber 'war-gaming' scenario, with your response plan at its centre, can really test that robustness, and drive home proper 'muscle-memory' understanding of those charged with operating it.

So, what's the plan?

For schemes just beginning to get to grips with this area, logical first steps would be to take training as a Board, and to undertake something of a cyber 'healthcheck', to learn about your gaps (including in relation to TPR's General Code) and your susceptibility – this will give you a clear plan of action. Then for many the ensuing steps will include drafting their cyber incident response plan and information security policy, submitting themselves to that incident response simulation or 'war-gaming', and putting in place and implementing a service provider cyber due diligence framework for advisers and other stakeholders. Further steps could include 'one step ahead' member communications that are ready to go, and thinking about training and education that could be provided directly to members. In terms of support, Trustees might helpfully turn to the resources available through the sponsor business. We are also on hand to support you through the above activity, via the pensions specialists in our dedicated cyber risk security team.

Do you have a plan? If not, WTW will provide you with some initial guidance to help you get started.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.