How can trustees manage cybersecurity risks?

Well-publicised cyberattacks are becoming a regular occurrence and have affected the pensions industry significantly in the past 12 months.

With the Pensions Regulator (TPR) making clear its expectations in the new General Code, in guidance and now in a regulatory intervention report, schemes cannot ignore the issue.

TPR’s General Code is expected to take effect this week (27 March 2024). Measures to manage cyber risk are part of the effective system of governance and internal controls that many schemes need to implement.

TPR has highlighted “the importance of trustees having robust cybersecurity and business continuity plans”. These should cover a range of scenarios to ensure the safe and swift resumption of operations if an incident occurs. 

Every scheme needs to think about this, TPR reminds us: “If trustees outsource administration, they are still responsible for ensuring scheme obligations towards members are met, and data is handled properly.”

Risks and vulnerabilities

Schemes might not know quite where to start with cybersecurity controls, but TPR’s General Code sets out clear, direct expectations of trustees. Trustees need knowledge and understanding of cyber-risks and to have assessed their scheme’s vulnerabilities.

This is a specialist area and trustees may well need expert advice, particularly if they cannot access expertise through the employer. Specialist advisers have first-hand knowledge of the latest cybersecurity developments. They can provide the necessary training to equip trustees to assess cyber-risks facing their scheme.

Schemes also need to have cybersecurity policies and a cyber incident response plan. There are practical and technical actions too. For instance, IT system controls must be in place and up-to-date, with firewalls, antivirus and malware products, and systems and data must be regularly backed up.

These are points that the Information Commissioner’s Office will typically question and test in the event of a cyber incident, so it is important to have well-documented policies and procedures in place that have been tested.

TPR’s cybersecurity guidance adds helpful detail that will help schemes understand the risks within the scheme and outside, in the supply chain. Schemes can be punished for the failings of a third party, so will want to ensure service providers have adequate cyber controls.

Lessons learned

Our experience helping clients deal with cyber incidents has brought to light valuable practical lessons for trustees.

Even if a scheme already has policies and response plans in place, these will likely need to be updated now the industry has a deeper practical understanding of how cyber incidents play out. Also, up-to-date policies need to be held somewhere accessible for all trustees even when IT systems are down, such as in a specialist breach platform.

Policies and procedures need to be documented, but consider also testing the underlying processes through a simulation exercise. What worked well, what didn’t work and where might there be gaps?

It is crucial for schemes to have a response team lined up ahead of time, with responsibilities and communication lines clearly designated. With this team in place, the scheme should be able to comply with the strict reporting timescales which apply under the UK’s General Data Protection Regulation. 

In the event of a cyberattack, schemes can implement additional security checks to protect member data and accounts and avoid unlawful payments being triggered – for example, by checking unusual payment or transfer patterns or changes to bank account details or personal data. These red flags may indicate attackers are making use of scheme data to scam the members.

If a cyber incident occurs, reporting to members is complicated as there will be competing considerations and practical issues to contend with, along with multiple regulators.

Schemes should consider mandatory reporting and voluntary communication outside of the formal regulatory framework. Having ready-made template communications might help members mitigate risk more quickly. Bespoke updates take time to prepare but may provide clearer explanations and be more accessible to members.

Even where schemes are not affected by a cyber incident, reports of breaches are likely to cause concern among members and prompt queries. Trustees will want to ensure administrators are prepared for this.

Ongoing reviews

When considering scheme governance, it is useful to reflect on whether administration agreements are fit for purpose in relation to cyber incidents.

Schemes that put off reviewing service providers’ terms because of cost will be exposed to bigger risks. Liability caps, indemnities, wider support (preparing communications and enlisting member support services), expenses and even ‘force majeure’ terms all need careful thought.

The job does not stop once good contractual terms are in place. TPR’s General Code highlights the importance of monitoring service providers. 

Once schemes have cyber controls in place, there is no room for complacency.

TPR reminds trustees that cyber risk is complex, rapidly evolving and requires a dynamic response. This means regularly reviewing cyber risk, controls and response plans – and keeping records to prove this has been done.

Ellie Ludlam is a partner at Pinsent Masons, while Charlotte Moss is a senior associate.