On the go: Trustees bear ultimate responsibility for managing cyber risk even when they outsource administration to a third party, and must ensure they carry out due diligence, according to a new report.
The paper, published by Patrick Kelliher, chair of the Institute and Faculty of Actuaries’ Operational Risk Working Party, and IFoA working party member Vanessa Jaeger, details the types of cyber crime pension schemes are most vulnerable to, and of which scheme trustees need to be aware.
Though many schemes outsource their administration, under the Pensions Act 2004 trustees remain ultimately accountable for cyber security, and it is their job to establish sufficient controls governing both internal and external processes to ensure member and scheme data is kept secure.
“To the extent third parties are affected by cyber attacks, they are likely to be held responsible in the first place,” they wrote.
“However, this does not absolve the responsibility of trustees for ensuring the third parties they use have adequate cyber risk controls, nor eliminate the possibility that a scheme may be fined under [the General Data Protection Regulation] for data breaches by third parties processing data on their behalf — who would be classed as data processors under GDPR.”
For schemes that keep their operations in-house, Mr Kelliher and Ms Jaeger point to the Pensions Regulator’s cyber risk principles as being an effective guide.
“At a minimum, the scheme should look to follow basic cyber hygiene frameworks such as the [National Cyber Security Centre’s] Cyber Essentials framework or the US National Institute of Standards and Technology’s Cybersecurity Framework,” they stated.
Schemes that outsource their operations may delegate the task of managing cyber risk but not ultimate responsibility, and trustees “should assure themselves of the strength of third-party cyber controls both at the outset and on an ongoing basis”.
Mitigating the financial impact of a successful cyber attack is likewise important, Mr Kelliher and Ms Jaeger continued. Trustees should consider whether third parties have sufficient financial resources to deal with the cost of a successful attack, while also paying attention to their sponsor’s cyber controls to ensure they are not left exposed.
“Cyber risk poses a significant threat to pension schemes with the ability to cripple the administration of the scheme, breach the confidentiality of member records, or defraud the scheme and the employer,” they concluded.
