Could your scheme assets withstand a cyber attack?

Adrian Leppard, commissioner of the City of London police, took part in a discussion in New York last week on the repercussions of a serious cyber attack for the two financial centres.

"There could be a very serious impact to the financial institutions of the world through a cyber attack and I think it’s a very strong likelihood that it will happen one day in the future, which is why we’ve got to push back and take action now before it happens," the Financial Times reported him as saying.

He added: "There’ll be evidence to suggest that all of the stock exchanges in the world have been breached in the last 10 years – Nasdaq, London Stock Exchange, all of them."

Penny Cogher, partner at Charles Russell Speechlys, said schemes could find attacks come under “force majeure” clauses in their contracts with investment managers. This could classify cyber attacks as an act of war or an act of God, meaning the manager may not be liable for losses.

“It’s something that people should be taking seriously," she said. “As a starting point trustees should be looking at their investment management and custodian agreement and [asking] ‘Is there anything we can go back to them about?’... I think what the commissioner was saying was it’s much more of an immediate risk.”

The key for trustees, said Cogher, was for lawyers to examine contracts with investment managers and custodians to assess scheme protection.

She added: “A lot of the time they aren’t reviewed by lawyers but by their investment consultants, it’s not a matter of course.”

Banks are typically reticent to discuss their security arrangements, but a source at one of the UK's big four, speaking on condition of anonymity, said it required all investment managers to have insurance covering against losses due to crime, which would cover losses due to acts of terror.

The source added that force majeure would likely only apply if the markets stopped trading. Richard Butcher, managing director at professional trustee company PTL, said a cyber attack would not necessarily affect the scheme's assets, but may affect liquidity.

“If it’s just an attack the security of the assets per se shouldn’t be affected,” he said. “They would only go astray in a theft. The only implication would be that the trustees would not have access for a period of time.”

He added: “When we sign up to business like this we pass it in front of lawyers to make sure we are protected… you should ensure that your contract gives you adequate protection.”

Butcher said the force majeure clause was more typically applied to act of God events such as earthquakes, and may therefore not apply to man-made events such as cyber attacks. “I’m not sure I’d accept a terror attack as force majeure,” he said.