On the go: Three in five schemes now have a cyber strategy and 75 per cent of trustees have some degree of training on cyber risks, according to Aon’s most recent cyber scorecard.
Aon’s ‘Cyber threats to corporate pension schemes’ report surveyed more than 100 schemes with assets ranging from under £10m to more than £10bn, and revealed a mixed picture for cyber awareness among respondents.
While the figures for scheme strategy and trustee training were encouraging, the survey also revealed that most schemes conduct no checks on the security of their cyber portals, despite 70 per cent of information and 86 per cent of data being shared via them.
Trustees are instead relying on the portal providers to conduct checks on their behalf.
The survey also revealed that most schemes have cyber hygiene requirements, though fewer than one in five document these clearly.
Despite 90 per cent of schemes having a data breach policy, more than one-third of those surveyed still send investment instructions via unencrypted email services.
Sixty per cent of schemes have not assessed the potential financial impact of a cyber attack, and only 2 per cent have a cyber insurance policy.
Despite the Pensions Regulator’s guidance in 2018 stating that all schemes should have a robust incident response plan, only two in five schemes reported having one.
Paul McGlone, partner at Aon, said: “Responses in our assessments did vary somewhat by size, with larger schemes performing better on average. However, we concluded that size was not the key determining factor of cyber resilience.
“Rather, it is what the market calls ‘cyber maturity’, with trustee awareness of the issue being a key factor in driving action and maintaining watchfulness.
“Schemes that have identified and understood the issues, and then taken steps to address them, come out of the scorecard assessment well. Schemes that have not yet engaged with the issues do not,” McGlone continued.
“On the plus side, we believe that many improvements can be made swiftly.”
Vanessa Jaeger, principal consultant at Aon, added: “As well as being of interest to trustees, the potential impact of cyber risk on pension schemes should be of definite interest to sponsors, who ultimately pick up the cost of any incident as well as reputational impact.
“Any sponsor that doesn’t know how their scheme is managing cyber risk should be asking that question.”
