2023 saw the first major cyber-attack of a large pension administrator in the UK. Its impact was felt across the industry, from those pension schemes directly affected and who incurred significant governance time and cost to take steps to contain the risk to members’ benefits and sensitive information, to those pension schemes not directly impacted however, who were encouraged to review and strengthen their approach to cyber education and defences.
As a result, cyber risk is now being recognised as one of the top risks that a pension scheme is exposed to, and for some well-funded or bought-in schemes it may be at the very top of the list.
In this article, we look at some of the critical questions pension trustees, corporates and members should be addressing as a priority, and how cyber professionals, WTW amongst them, can help.
Trustees, corporates and members can all be asking themselves important questions in respect of cyber risk; please see some examples below. What’s notable is that in addition to reinforcing the defences to reduce the likelihood of a cyber attack, further steps are often needed to manage the consequences of a successful cyber attack.
Trustees
|
|
Corporates
|
Members
|
Cyber attacks are happening now. Sadly, there is almost nothing you can do to stop these attacks; of course, you can put controls and processes in place to reduce the risk, but a capable and motivated threat actor is likely to be able to find a way of getting in. So, a helpful (if unsettling) perspective to inhabit for the purposes of establishing your governance, risk and readiness approach to cyber is that of it being a case of ‘when’, not ‘if’, it happens to your scheme.
Cyber-attacks can be nasty, with response and recovery a roller-coaster of emotions that will impact all individuals responsible for the delivery and management of a pension scheme. Stakeholders are likely to experience confusion, pressure and anger, and are likely to be forced to make decisions with incomplete information and a lot of unknowns. Therefore it’s important to know in advance from where you will be able to access professional support.
We’ve painted a grim picture here; but it’s not a hopeless one. There are absolutely steps trustees can take to set themselves up to be able to respond to an incident better and recover from it faster. These boil down to two key themes: awareness and preparation.
We should build an awareness of the data we hold, the systems we use and the risks facing our scheme, our suppliers and our members in a cyber context. With this knowledge we can take steps to build a response strategy that supports in reducing and managing these risks. This goes hand in hand with the second point: preparation.
In preparing for a cyber attack, schemes and companies should have established processes that will swing into action and be confident that those processes are sufficiently robust. A cyber incident response plan, which is specific to your scheme, will support you in ensuring that your response effort is understood, controlled and proportionate. Then working through a realistic and well-planned cyber ‘war-gaming’ scenario, with your response plan at its centre, can really test that robustness, and drive home proper ‘muscle-memory’ understanding of those charged with operating it.
For schemes just beginning to get to grips with this area, logical first steps would be to take training as a Board, and to undertake something of a cyber ‘healthcheck’, to learn about your gaps (including in relation to TPR’s General Code) and your susceptibility – this will give you a clear plan of action. Then for many the ensuing steps will include drafting their cyber incident response plan and information security policy, submitting themselves to that incident response simulation or ‘war-gaming’, and putting in place and implementing a service provider cyber due diligence framework for advisers and other stakeholders. Further steps could include ‘one step ahead’ member communications that are ready to go, and thinking about training and education that could be provided directly to members. In terms of support, Trustees might helpfully turn to the resources available through the sponsor business. We are also on hand to support you through the above activity, via the pensions specialists in our dedicated cyber risk security team.
Do you have a plan? If not, WTW will provide you with some initial guidance to help you get started.
