There is no doubt that cyber-security is a hot topic right now, in the pensions world and more generally. Fraud and cybercrime now account for over half of all crime in the UK, and data shows that the threat of cybercrime to pension schemes is a very real one. This is particularly concerning given the significant assets and data held by schemes. With group litigation and mass data breach claims on the rise, trustees need to be demonstrating active management in this area to minimise the risk of significant loss and damage to reputation. 

Research suggests there is a big variance between schemes in approaching cyber-related issues. A recent study by Aon found the cyber-readiness of schemes varies according to their size, with smaller schemes more likely to fall short of what is expected. This could well indicate the challenges faced by smaller schemes in dedicating resources to tackle the problem. However, “cyber maturity” (the process of continually assessing the effectiveness of cyber-security systems over time) continues to be the key contributing factor of cyber resilience regardless of the scheme size, and trustee engagement has a big part to play in that process.

Trustees cannot outsource their responsibility for cyber risk. They have a duty to put adequate controls in place, internally and externally, to manage the issue. When a cyber security incident inevitably happens, trustees who have not considered the risks and made a plan could face scrutiny, fines and legal actions. Trustee indemnity insurance may help in certain circumstances if a claim is made, but the potential loss extends beyond any action against the trustees directly. Huge costs will arise in taking advice and dealing with a cyber-related problem absent any claim and in that situation trustee indemnity insurance is unlikely to help.

If we accept that a cyber breach is inevitable, then really the question is what should trustees be doing to mitigate the impact? Lucy Stone, the policy lead at the Pensions Regulator, provides this simple advice:

“Go and find [the policy]. If you don’t know where it is, ask where it is. Look at it and assure yourself that it’s fit for purpose”

Proper governance and controls are key. Trustees should attend training, assess the risks specific to their scheme, and have a plan. They should demonstrate an awareness and active approach to cyber risk even if using third party providers. The Pensions Administration Standards Association published cybercrime guidance for pension administrators in November 2020; my colleague Samantha Howell notes in her blog how useful this guidance is for trustees in understanding what steps administrators should be taking in relation to cybercrime.

Cyber criminals will change and adapt to avoid being caught and so schemes will never be immune to threat, but resilience is key. Trustees play a crucial role in building cyber resilience within their schemes. By understanding the risks, taking the necessary steps to protect the scheme and its critical assets, and having a plan in place to react and recover quickly when an incident occurs, trustees can reduce the risk of significant loss, reputational damage and claims.

Join us on 17 March 2021 for our Pensions Law Webinar: Cyber Security and Pension Schemes for more guidance on tackling cyber security issues.