This second session will consider how trustees can move beyond compliance with the regulatory requirements to adopt robust processes to address cyber threats, what happens when incidents occur and how to deal with third parties from a cyber security and data perspective. We will be focussing on practical steps trustees can take to improve their position.
Chair - Ben Goldby, Partner at Gowling WLG
Speakers - Phil Naybour, Trustee and former head of e-security at Thales UK Ltd and Amber Strickland, Principal Associate, tech disputes and cyber security team at Gowling WLG.
Transcript
Ben Goldby: Welcome everyone and thank you to all of those who have already joined, we are just seeing the numbers ticking up in the bottom corner of my screen but we will get started so ... welcome everybody to this Gowling WLG Webinar on the subject of cyber security. So by way of brief introduction my name is Ben Goldby I am a partner here at Gowling WLG, in our pensions team. I am delighted to be joined today by Phil Naybour who has a unique perspective on cyber security as both a trustee himself and a former head of e-security at a large multi-national business. So much of today's session will feature Phil sharing those expertise and you will also hear from my colleague Amber Strickland who is a principal associate here at Gowling in our cyber dispute resolution practice and she specialises in the contractual protections that you can put in place with third party suppliers. So, the session today is really aimed at helping you to manage your cyber security risk which I know remains a keep you up at night type of risk for many trustee boards. We are also going to look at what to do when the worst possible thing happens and the worst possible scenario transpires, how you can deal with cyber incidents and how you can protect your position when those cyber incidents affect your third party suppliers. Just a couple of housekeeping points from me before we get going. Today's session is going to be recorded and uploaded to our website and there will be a follow up email which will ask for your feedback amongst other things, so look out for that recording which will come through in due course. Everybody other than me at the moment is on mute and video off so if you can use the Q&A function in the bottom of your screen to submit any questions you may have throughout the session that would be fantastic. If we don't get to any of your questions live we will get back to you by email and we have set aside ten minutes at the end for those Q&As. The session today will last for about an hour. We will aim to finish that slightly early so that you can go and get your lunch if you haven't had it already but yes we will crack on now with the session and I will spend just a few moments just outlining the pensions landscape as it stands today before we get into Phil and Amber's session. So, some of this will be familiar to some of you but I think it is important to just set a bit of context before we get going. So, you will probably have been inundated with information about the new general code which has been in force for almost exactly a month now. I know it felt like we were waiting for it for ages but it has been with us for a whole month. It does contain a section on cyber security and as many of you will know the regulator has issued additional guidance on this topic at the back end of last year following a large breach in the pensions industry. So just to set your duties as trustees in the legal context here, your obligation remains to have an effective system of governance or an ESOG as I have put on the side there. This effective system of governance includes identifying risks and establishing controls and one of those risks clearly is cyber security. It is important whenever we are dealing with that ESOG to bear in mind the concept of proportionality, your risk management functions as trustees have to be proportionate to the size, nature and scale and complexity of your scheme, so if you are particularly vulnerable to cyber risk or you are a particularly large scheme with lots of data, you might take a different approach to a smaller scheme that has particularly robust cyber protections in place. The own risk assessment or aura is the thing that gives shape to that new general code, it is the end product of general code compliance exercises. For the vast majority of schemes that will not be required until 2026 or beyond but the cyber security risk is clearly a present dangerous ongoing danger for pension schemes. That is driven by a number of things not least the political instability around the world, the explosion in home working after the COVID pandemic and the increasing sophistication of attackers as well. So, it is a blinking red light on that risk assessment and our advice to you is to make sure that you are tackling it now and largely to treat it in a similar way to investment risk, it is something which we can't do anything about the overriding issues that happen in the markets, just like we cant do anything about the fact that cyber risks are growing but we can take steps to mitigate it within our pension schemes. So just a summary of the regulatory guidance there on the slide. We are going to talk about all of these points in more detail in the session as we go through but a fairly familiar cycle for anybody who has engaged with this topic and engaged with the regulator's guidance on this topic over the years. So, there is understanding in assessing the risk clearly working out what that risk is both who you need to protect and what the threats might be and then assessing and prioritising those risks. We are going to talk a bit about putting in place controls and indeed reviewing those controls as you go along to make sure that they are fit for purpose. We are going to talk about response in particular business continuity planning and instant recovery plans and how you can ensure that you are in the best possible position if the worst should happen and then finally reporting, we wont spend a huge amount of time talking about that today but I just wanted to flag up that that regulatory guidance that came out in December of last year goes a little bit further than previous guidance and asks that trustees, alongside your ICO reporting obligations, so that is the famous 72 hour ticking clock for reporting personal data breaches to the ICO, you now have a new requirement from TPR where there is a significant cyber incident for that to be reported to TPR as well on a as soon as reasonably practicable basis. What is significant you might ask, well they have given a bit of guidance on that as well so significant loss of member data, so lots of data lost, major disruption to services, so for example if pensions cannot be paid or just a negative impact on a number of other pension schemes or pension service providers so, something systemic that is affecting multiple people. So I am going to handover to Phil having set that bit of context and he is going to share his experience with us.
Phil Naybour: Thank you Ben. Good afternoon everybody. My name is Phil Naybour and I was until a couple of years ago a full time executive of Thales in the UK and for 20 odd years I ran a business that was known as Thales E-Security and I say that because since I left it has been rebranded so there is no point in going away and googling that for up-to-date information. I ran that business for 20 odd years. That business was involved in providing high-end commercial information security systems to names that you will be familiar with let's say. So Visa, Mastercard, Swift, CHAPS, Microsoft plus if many of you use WhatsApp and get that little message that says your messages are now encrypted we may have been involved in doing that sort of thing so you can imagine that we dealt with more or less, I would say, probably, it is amazing the number of people that use that type of equipment but we dealt with probably most of the Fortune 500 companies and designed various systems for them to help them conduct their business securely across the globe. I had some involvement in government security at higher grades as well, so I guess that sort of benefit of this call, that gives me an understanding of what happens if you take security further than you need to for your own commercial requirements. It can become extremely onerous and anybody that has been involved in top secret high grade government systems knows that security is an onerous requirement and our job as Ben said is to get appropriate security for the risks we are managing. I have also been a trustee of the Thales UK Pension Scheme for the past 16 years and during that time I was involved as chair of the governance sub-committee, I was chair of the investment sub-committee and I led the project with the company sponsor to transfer our risk to an insurer which was announced on 1 December last year. So we have been through the early stages of that risk transfer and we are now in the implementation. During that time, particularly when I was involved in governance, I was responsible for cyber security and may I do or don't like the term cyber security, it is a very useful term, but it is really an information asset security risk. So I wrote the policy, I wrote the risk itself actually to be honest in our risk register and I then wrote the policy and have that on the other screen, alongside, in case I get any detailed technical questions. I wrote the policy that expresses how we manage that risk and I then wrote the questionnaire that we use to assess our suppliers to see how those suppliers, service providers mainly, do or do not meet our requirements and I have then evaluated several of those service providers, if you like personally. So, we mentioned what to do in the case when things go wrong and for us things did go wrong a few years ago. We didn't suffer the cyber breach but we suffered, if you like, the consequences of a cyber attack. It wasn't a particularly sophisticated technical attack it was a fairly basic technical attack but it exposed our assets in places that they shouldn't have been exposed lets say and as a consequence we were temporarily relieved of ownership of some of those assets and I led our response to that and it has a happy ending because, at least from our point of view, as a trustee we recovered all of our monies and, I think it is fair to say as well, that our service providers were strongly encouraged and Amber was some assistance in this regard, strongly encouraged to ensure continuous improvement of their systems and processes in order to prevent a recurrence. So, we did respond to an incident and quite successfully at least from a financial point of view. So that is sort of my background as to why I am here discussing this and really what flows from that I said a couple of minutes ago I am not sure that the term cyber is the best because having been in the industry it is very very easy to go very quickly into a sort of detailed debate about firewall settings and policies to scan servers for updates and yes all of that is important technical stuff and it is important that whoever is actually managing the detail of the systems that we use, is au fait with all that detail and is on top of it and is managing it but I am not sure it is necessary for a trustee board to be overly concerned with firewall settings, at some point we need to delegate the sort of technical responsibility for getting those things right to the service providers that we use. So certainly when I look at what we put together with our policy and with our questionnaire I tended to work at a different level and a sort of management level that says, you know, how are you managing this stuff, have you got the appropriate management processes and tools in place to deal with this stuff and how do you demonstrate that to me in a way that I can get comfortable with the cyber risk for the scheme and really I started by looking at, you know, its an information risk at the end of the day. It is all about information and really it gets very complex, very quickly but it is really quite simple we only require three things really of information. We require it to be available when we need it, through the right people at the right time, we require it perhaps but yes we require it to be confidential. That doesn't necessarily mean it is locked away and no one can ever look at it, but we just need to make sure that we know who is looking at it and why and if somebody is not supposed to be looking at it that it is kept confidential from them and we require the information to be accurate and certainly elements of the cyber breach that we suffered, really it was the final point, it was the accuracy of the information, that became a problem, somebody was able to pretend that they were somebody else. I had information that they altered so those are sort of basic principles and then we then looked at what information we have and where that risk is and as a pension scheme there are really two areas of interest to the cyber criminal let's say and that is where we should put ourselves in their place I guess. We tend to have a lot of money sloshing around in our assets so that is one area to look at and we tend to have a lot of personal information because our scheme had, still has, 16,500 members so, you know, that is a lot of personal data and obviously we need to pay those members so we have quite a lot of detailed information about those members. So when we start to break down and look at the information and what the risk is then we can start to come up with policies to manage that risk and really having done that I guess we like most pension schemes, we ourselves do not have a big operating entity, we are a trustee board and all of the actual operations is carried out on our behalf by service providers through service contracts. So really to me there are a number of things that are important for a pension scheme. I think really that the risk is significant enough that every pension scheme should have somebody on the board that understands the information risk. Perhaps not at the detailed firewall setting level, in fact I would argue that that is probably the last thing we need, but somebody on the board, my experience of pension schemes, and I don't know who is in the audience, but I am guessing there is a lot of people from HR and there is a lot of people from legal and there is a lot of people from a financial background but it is very helpful sometimes to have somebody that understands the management of information and what good looks like in the world of the management of information. So that would be, I would say that wouldn't I, but that would be my first point that somebody on the board. Its I hard to imagine that you could run a pension scheme without having somebody with actuarial knowledge. It is hard to imagine you could run a pension scheme without having somebody with legal knowledge. I think we are reaching the point where, we are probably at the point, where it is hard to manage running a big scheme with effectively all of its assets and all of its members expressed as information that it is becoming a sort of basic skill I think for running this sort of scheme and then really there isn't a great deal of, there is no magic bullet to sit down and write down what it is you want to achieve by managing your information and that needs a little bit of careful thought. So, when we looked at confidentiality for example, I guess we like many schemes had trustees who were current employees of the sponsor company and those trustees tend to use IT provided by the sponsor company and is that a confidentiality issue for the trustee? Much of the information, certainly the member data, only arrives at the scheme through the sponsor anyway. So, but you would do a three yearly valuation process and you have commercial negotiations to manage that valuation process. So, there is some information that the trustee would want to keep confidential from the sponsor. So, you have a debate about how to manage a situation where much of what you are doing might be done on company IT infrastructure but you know which bits need to be kept confidential from the sponsor, which bits you are not worried about sharing with sponsor? Also a lot of that information needs to be shared, you know we share a lot of detailed information with Gowling, so and we need mechanism to do that. So, we did write a policy. I tried to keep the policy pragmatic, understandable to the remainder of the trustee board and I think it was, it is a document that I read through this morning again actually just to remind myself before I did this call, it reads OK, it explains what we are trying to do and then we then set about really going through our service providers to assess whether they were able to meet the important elements of that policy and you know it is no surprise that broadly speaking any service provider in this industry has to be, lets say, pretty good otherwise they are not going to survive very long in the industry and certainly my experience is most people are pretty good but there are definitely some gold standards that I have seen which were helpful to us and so we then ran supplier service provider assessments and then with the company, unrelated to cyber security with the company we agreed to do a risk transfer project but clearly that, at the very least, introduces a complete difference to our service providers so we carried out, I carried out, the assessment of the cyber security of the bidders for the risk transfer and I guess many schemes will be talking about risk transfer at the moment with favourable bond yields, lets say, and other factors. Certainly a couple of things that I could comment around the risk transfer. I think I identify perhaps five ways where it reduces cyber risk and one way where it may increase cyber risk. Broadly speaking for most of us in the pensions world if you do a live risk transfer it will actually reduce the number of service providers that you have got. It will, eventually in our scheme, it will take our number of service providers down to one. So, you know, that's a reduction in itself. The whole risk transfer process itself is a data based activity. Its an information based activity and leads to a massive amount of due diligence on the information contained within the scheme and in our case a huge clean up and an archive process and in fact a data destruction process because you end up with a contract which specifies what data and what information will be used as the basis of the benefit specifications and that then becomes, if you like, and what we have ended up with is a set of benefit specifications which replaced more or less 40 or 50 years of history and so that, and those benefit specifications are clearly written, they are clearly archived, they haven't got, you know, I wish I could say that all the 50 years of history was clearly written and clearly archived but the reality is there were some holes, so, and we have created a very clear information hierarchy. At the top end you have got the contract with the service provider which reflects the benefit specification so you end up with a much more structured information environment which is much easier to police, maintain and so that is actually in my opinion and a lot of data, a lot of old data that has now been updated and has actually been destroyed and so, you know, the actual amount of information which is available to penetrate has dramatically reduced. Also in looking round at lets say the life insurers and there is a relatively limited number of those people that are in that business in the UK. In general what I find by looking at them is they all have very modern IT systems that they have recently put into place and a fundamental initial design criteria for those systems was to make them secure. That is not to say that other service providers are not running secure systems but it is clear that they have a benefit in that effectively they don't have much in the way of legacy and legacy in IT security terms is tricky stuff. So, I think there is a benefit, a cyber risk benefit, to just getting on to updated IT systems and I said that, I have to say that, having done, having sat both sides of the table, so I have sat on the side of the table where I have received questionnaires from customers and I have employed people to fill them in. I have also sat on the side of a table where I have been conducting the cyber review of suppliers and I have to say there are two or three examples of lets say gold standard that I have seen in my time in this industry where I saw, I think, best in class information security management presented to me in a way where I could see that the company's concern had information security management in their core of their, if you like corporate DNA and everything they did was built on top of that and those areas were when I was looking at the bidders for our insurance policy and I have to say as well that the people who provide the board room management services that we use as well, both of those people who I won't name but they showed, I would say, gold standard information security management to me. So I think I can say that based on the above risk transfer insurance has reduced our cyber risk and so I could put my hand on my heart as a trustee and say from a cyber point of view I think the risk goes down during that process. There is one more potential area where it goes clearly we have transferred our risk, we have got 16,500 members and we have transferred our risk to somebody that has got around one million and clearly that represents a much bigger target so whilst I can see many ways that it has reduced our risk you could say that there is simply a bigger target. So you could argue that might have increased the risk but I would argue that they know they are a bit target so they have done a lot about it because ... so I do believe that risk transfer, not the signing of the contract, it is only really when you actually have completed all the implementation, but I do believe that, and we did have several members that asked me the question actually, several members when we announced what we were doing sent in questions about it and asked have you done the cyber analysis, are you worried about it? I was able to, you know, hand on heart write back to them and say yes I have done the review and I am happy that there is not a zero risk, it is never a zero risk, but I am happy that as a board we have fulfilled our obligations if you like, we have taken cyber risk into account in what is primarily a financial transaction and legal transaction and I believe that we have got an audit trail that says that we have managed the cyber risk. Just going back if I could to when things go wrong, there is a couple of points about that because, you know, we did, the particular issue that caused our problem didn't require us to go to the information commissioner because the amount of data that was actually reached was so minute but was quite significant but we did have to go to the regulator actually. So perhaps we are one of the people responsible for the regulator's new guidelines because we did have a conversation with the regulator and this was a few years ago so their thinking was lets say at an early stage so we may have helped them with their thinking but we did go to the regulator and explained what we had done and how we were managing it and that was a useful step. The other step which is a useful step but it is useful in a strange way is a crime has been committed and it is important people often forget that we lost assets temporarily and if we hadn't acted that would have become permanent and that is a crime and we did report it to the police and what shall I say, they are obviously overworked in the cyber security space but it became a very powerful tool in our negotiations with our service providers if you like for them to know that the police were potentially involved. So don't forget the police, they are actually quite useful in all of this and the other thing is we got technical expertise on board very quickly and I was able to do that because you might be not surprised to learn that I had a few mates in Thales the sponsor who I could phone up who used to work for me and we got our technical expertise looking at the problem very quickly in advance of, lets say, others. Now that technical expertise needs to be managed because it has a tendency to deep dive and will just disappear down to the bottom of the ocean if you let it but we had a pretty coherent technical explanation for what had happened and where that was and that was a very useful step as well. So, that is kind of what I wanted to say. Hopefully I haven't given too many secrets away but you know I have been in the business of secrets for a long time. I think it is important for pensions, it is important to have the right skills on the board. I think the regulator is going to be asking increasing questions about have you got the ability as a pension scheme to deal with this issue because it is an issue that is not going away and I guess if anybody needs to get in touch with me, Gowlings know my name and address. I have worked with them for many years so please either ask questions through the mechanism of this seminar today or I am happy for Gowlings to get back in touch with me afterwards. Thank you.
Ben: Thanks Phil. We have got a few questions already and I am sure we will have a few more before the end but Amber I will hand over to you now.
Amber Strickland: Thanks Ben and thanks Phil that was really great, some really great points that I am going to draw on when I am speaking now. So as Ben said my name is Amber and I am a principal associate in the commercial litigation team at Gowling. I specialise in tech disputes with a particular focus on cyber security and data breaches. For that reason I have crossed paths with a number of you on this Webinar in circumstances where we have been working together to manage risks, reviewing third party contracts, putting place robust cyber incident response plan, engaging in war gaming and testing and coaching you through a cyber attack as part of the breach team and as Phil said I was the associate in the Gowling team who are assisted Thales following the cyber attach that Phil mentioned earlier. So today I am going to be discussing some practical steps which you can take in order to assess the security of supply chain. How you can bolster protections in your supply agreements and what you should be looking for in those agreements. So the red flags. But first of all lets talk about why this is important. From a practical perspective you will know already how heavily dependent pension schemes are on their supply chains. That is something Phil referred to when he was speaking earlier and it is really clear from some of the examples that Phil gave. In its cyber security guidance TPR emphases the importance of working with the supply chain to ensure that the risk is appropriate managed. In particular and the quotes on the screen but it says you should not assume your suppliers and those handling or managing systems on your behalf have taken the required steps. You remain accountable and you should seek assurance or evidence that the right controls are in place and a similar sentiment is echoed in the general code. So how can you do that within the confines of your current supply contracts and what should you be looking for in terms of amendments or when you are renegotiating those contracts? Remember these provisions need to be agreed with a view to ensuring that they are proportionate to the risks involved. Some of your suppliers like the scheme administrator will hold your member data and some of them will be custodians for scheme assets. These suppliers present a much greater risk to the scheme than for example your legal team or your auditors. You need to sure up the whole supply chain but the frequency and depth of security that you are seeking can be commenced with the risk involved. So lets start with some practical points and easy wins for you to think about. I know that some of your contracts may be historic or they might not be up for renewal for some time. It might be that you cant renegotiate them mid-term because you don't have the leverage or the time to do it. TPR still expects you to seek assurances and evidence that the right controls are in place. So lets talk about some practical steps that you can take in that respect. Firstly and this is something that Phil was talking about earlier, you can send the supplier a cyber security questionnaire. This does exactly what it says on the tin. It asks your suppliers to answer questions about the technical and organisational measures it has in place to protect its own systems and the wider supply chain. They might complete this under the audit provisions but if you haven't got any in the contract you could simply ask your relationship manager or your usual contact to help you with it. We found that most suppliers are forthcoming with answering these questions. Secondly, you can check whether the supplier has a specialist accreditation like cyber essentials, cyber essentials press or ISO 27001. You can usually find this out on the website or through your relationship manager or your usual contact. If they do have a recognised cyber accreditation then this might provide you with some assurances that the right processes and controls are in place. Thirdly you can use a service like Bitsight. What Bitsight does is they look at the likelihood of a company suffering a cyber attack and they will give you an independent security score. You might find that score reassuring or you might not but that is a service that is there so you can help to independently assess how secure those suppliers are. If you are in a position to review your contracts and renegotiate them what should you be looking for in those negotiations? First of all lets start with the audit provisions. Do you have a right to audit your third party suppliers? How frequently does the right to audit arise and will you incur a charge if you exercise the right? We would usually look for at least the right to request that the supplier complete a cyber security questionnaire within a reasonable time of it being provided and a right to conduct a review of the security controls and procedures in place at the supplier. You should also look at what your contract says about information security measures. Sometimes this information will be set out in a separate schedule so it might not be in the body of the contract, it might be in an annex. In line with TPR guidance we expect the contract or that annex to the contract to at least provide an explanation of systems and procedures which are in place to ensure the safe and swift resumption of operations following a security breach or a cyber attack and this would include the requirement to have an incident response plan in place. We would expect it to include reference to requirements to back up data, keep back ups in safe storage and test the process of restoring back-ups. Just to note that this is less significant in the context of protecting scheme assets but it is still important. It should set out when and how the trustee will be notified following a security breach so you might need to include in the contracts some named contacts at the trustee who will be contacted in the event of a breach and we would also expect some short timeframes for such a notification. At the very least we would expect them to say a notification should be made without undue delay. We would also expect the contract to include a requirement to put in place sufficient technical measures and controls to mitigate against cyber security risks. Another thing that we would look at is the definitions so how strong are your definitions? We have seen some agreements which define for example, breach of security or cyber security incident and the definitions are limited such that they don't include, for example, an attack from an internal threat actor, like a disgruntled employee. Often the protections that are in your contracts and the reporting requirements are linked to those definitions so it is essential to make sure that they cover all the possible threats and forms of attack. Liabilities and indemnities are also something that we would look out for. So we would check what the cap on liability in the contract says. Sometimes it just totally carves out liability for data loss or a cyber security incident meaning that the parties have agreed that in the event of one of those there is no liability from the supplier to the client or maybe the supplier's liability might be limited for example to just the fees paid. The damage arising from the cyber attack including loss of data certainly shouldn't be excluded and the costs of such an attach may be significantly more than the amount of the fees. Our view is that there either should not be a cap or the cap should be negotiated as high as possible. We have seen caps in the amount for example, £25 million. The cap could also be agreed based on the level of cyber insurance but we would expect push back in that respect. As a compromise position the trustee could seek to agree a higher cap which applies only to the liability for a breach of security and/or a cyber security incident with the existing cap applying to all other liability under the agreement. Finally the contract should deal with retention of data and how that data is managed following termination or expiry. Trustees can experience issues when they change supplier and the previous supplier retains trustee data and subsequently suffers a cyber attack. The trustee can find it difficult to obtain information about the attach. The process in this respect could be agreed in the exit plan if any is provided for in the agreement but in reality that might fall by the wayside at the end of the agreement and it is likely to be better to include express wording in the agreement that the data protection provisions including those in relation to provision of information about a data breach or a cyber attack, so notification provisions, will continue to apply following termination and until the data has been deleted. TPR says that the trustee needs to understand how long the supplier will hold the data, where it is being held and how it has been protected. Any agreement should expressly provide for this. So that was just a whistle stop tour of some of the points you should keep in mind to put yourself in the best position to protect scheme data and assets and in the event of an attack or a data breach. It is something that you need to keep under review and continually assess. It is not the case of just agreeing a contract at the outset and then forgetting about this. We would expect depending upon the level risk and the nature of the supplier we would expect potentially annual reviews of this information, for example, through the cyber security questionnaire or the audit provisions. So I am just going to hand back to Ben now and I think we have still got time for some questions.
Ben: Yes we have got time for some questions, thank you Amber. I think that is some really helpful guidance on the contract. I think speaking from my own experience sometimes the trustee can be reluctant to instruct lawyers to look back at contracts for fear that maybe there won't be any room to budge and I think actually there is a bit of a change going on in the market and certainly amongst the third party scheme administrators as a recognition that some of these things do need to be built in to, particularly those old contracts that may well have sat on a dusty shelf for a little while. So you are right Amber we have time for some questions and I will start with one for Phil. So Phil you talked about gold standard practice in some of the third party providers and you were very discrete there and you didn't mention any names but what are some of those things that you look out for as hallmarks of gold standard practice, what are the kind of, the top three things maybe that you look out for there?
Phil: ISO 27001 I would say is the ISO standard, I mean there some UK standards like cyber essentials etc but an ISO 27001 accreditation and forgive me I forget the number for the standard is it 18001 the standard for, no that's, no there is another standard and forgive me I forget the number which covers disaster recovery. I forget the number of that standard but in my opinion ISO 27001 and I speak from somebody who ran a business that has implemented or was implementing 270001. It is hard work. So ISO 27001. A willingness to discuss it as well. Certainly when I did the cyber due diligence some of the insurers, they said well we are not telling you any details of our system because they are confidential and I said well that is not very helpful but we found a way of doing that, even if I had to sit in a room and they could show me a screen but I couldn't take that away I could then at least hand on heart say you know, I have understood that and what I found is I actually managed to conduct a cyber review with one supplier entirely by them sending me time expired documentation which I was able to read and they were prepared to sign a contract to say that they ran their systems and policies to as a minimum the standards that were expressed in the documentation that they sent me to read and that they had continuous improvement so you know, having received you know, huge great long questionnaires and spent hours filling them in to actually just get someone they said look here is our documents, you have got access to them in a virtual environment for a limited number of time. I couldn't print them, I couldn't copy them, I couldn't whatever but I read those documents after a week my access to them expired. I was able to, you could see from that their approach was good. I think it is also, you need a degree of technical understanding and the trustee needs to get somebody who has, I am not a technical expert but I have worked and run IT businesses for a long time and you do need a level of technical understanding to assess. So for example when somebody says to me that we run our systems using Citrix and a purely virtual environment, I can understand you know roughly what that means to the lay man what that means is they are not downloading data on to somebody's laptop when they are working at home, that person is logging in from home, is not able to print information so the information doesn't actually move and I think I am really comfortable with that because all the information stays in one place and whoever needs to access it, can access it. So some technical competence that you trust if you like in the trustee board and that is quite hard to find, I guess that is the issue because you can get loads of cyber consultants who, but what they really want to do is fix firewall settings.
Ben: So I suppose it may be engaging with the sponsor Phil and seeing if they have got in-house functions and data protection and cyber experts who potentially they can lend to the trustees.
Phil: Yes engaging with the sponsor. I mean I know you know, not everybody but a lot of the sponsors will, I can see down some of the attendees on the list you sent me and I recognise former customers lets say. Engage with the sponsor.
Ben: Thanks Phil. So a question for you now Amber from an anonymous attendee who is obviously very keen to protect their personal data so well done to that person. So this is about sub-processors Amber so there were wont be a direct contractual relationship to fall back that administrators often rely heavily on sub-processors particularly people like software providers. What can trustees do to satisfy themselves that they are comfortable with those sub-processors?
Amber: So there is a couple of things that they can do. In terms of the contracts with the administrator. We would usually expect the administrator to use sub-processors and we don't usually have any concerns with them contracting with sub-processors but what we would suggest is that the contract provides for the obligations that the trustees imposes on the administrator to be flowed down to those sub-processors. If the relationship is particularly risky and the sub-processor is particularly significant in that relationship we would sometimes ask to see proof that those obligations have been flowed down and we would include provisions in the questionnaire that we send to the administrator or in the audit that we undertake of the administrator to help us to become satisfied that those obligations have been flowed down to the sub-processor and that the sub-processor has got sufficient technical and organisational measures in control and place. So it is sort of a two pronged attack, its making sure that your contract lines are and that the administrator is imposing those obligations on the sub-processor and secondly it is using your audit provisions or if you don't have any just asking the questions to make sure that you are provided with evidence as to the technical and organisational measures and controls that that sub-processor has in place.
Ben: That is very helpful Amber and I think that is going to be a growing topic for trustees particularly as pensions dashboard start to kick off and that reliance on sub-processes is only going in one direction. Another question for you actually Amber although Phil you may well have thoughts on this as well. Where trustee boards are at the smaller end and have a smaller scale and less resources to throw at this, how can smaller trustee boards and smaller schemes prioritise for example their contract reviews or the steps that they are taking to prepare for cyber. So maybe Amber if you take the contractual side of that and Phil you maybe take the steps to prepare for essential cyber risks.
Amber: Yes so in terms of the contracts, fully appreciate and understand that some of these contracts just either can't be negotiated for one reason or another there is no leverage, there is no time, you know, fully understand that. So I think what the priority position is genuinely just checking to see where those red flags are. So some of the points that I have listed earlier, things like the cap on liability that is potentially quite significant if data and cyber is carved out of that then that is something that you should be focussing on and trying to renegotiate if you can. If you can't and if it is difficult to renegotiate any of the points that I discussed earlier and I am possibly encroaching on Phil a little bit in terms of practical steps that you can take, but just satisfying yourself that you have sought the type of assurance that TPR expects. So that is sending those questionnaires, that's having a look at what cyber accreditations they have got and it is potentially using companies like Bitsight to see how your suppliers rate in terms of cyber security. Also internally just getting your own house in order so you know have you got a cyber incident response plan in place? Have you tested it? That is fairly straight forward it doesn't take too much effort. You can buy them off the shelf but you can also look on websites like NCSC, they have got some guidance on how to put together a cyber incident response plan. If you have got a plan in place it doesn't take too long to put that in place and then just to test it and make sure you are familiar with it and that is something that you can do from a practical perspective to protect the scheme, the data and assets without having to engage in lengthy and potentially fruitless negotiations with the supply chain.
Ben: Thank you. Any thoughts Phil?
Phil: Yes it a tricky one but first of all I would say that 16,500 members didn't make us a particularly big scheme. That may be big in the context of other schemes but I wouldn't say that our a cyber incident with response policy sounds like a massive thing but you know only big organisations had, but I was just checking that our whole information security policy runs to eight pages which I wrote myself probably took me three or four days and the incident response part of that is one of those eight pages. It doesn't need to be a monumental thing and basically it says that make sure that you know that an incident has happened when it has happened put somebody in charge and they can be relatively basic things. The other thing I would do is, you can write however big a scheme you are, you can just write to your service providers and say look here is some new guidance from the regulatory, please tell me how you are helping me meet this guidance and just take a view. I would say this but if you get the right skills on the board, if you get someone that knows this area you can achieve quite a lot in a few days work. So don't, yes we had an incident and we were able to call on significant technical capability but it didn't take those people very long, let's say if I remember our incident, we had a pretty clear technical description of what had happened within 48 hours. So, yes there were skilful people but we didn't take them for very long, a few hours each. It is not a bulk thing its about getting somebody with the right knowledge and applying that knowledge in relatively small chunks I would say can have quite a positive effect.
Ben: That is great, thanks very much Phil. So we are coming very close to the end of our Webinar and I did promise people a few minutes back in their time for lunch. We do have a couple of other questions so thank you for those people who submitted questions. We will respond to those via email after this session. You will get a link with a recording of this session and also a request for any feedback which is helpful for us because it helps us tailor these sessions going forward. So all that remains really is for me to say a big thank you to Phil and Amber for their input today and to interpreter Rosie who has been helping us behind the scenes here at Gowling and to wish you all a happy rest of your Thursday.
Read the original article on GowlingWLG.com
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.