On 17 March 2021, Burges Salmon hosted a “cyber security and pension schemes” webinar. The event considered cyber security issues through a pensions lens and focussed on how to mitigate the effects of the significant cybercrime threats facing the pensions industry today.

The session was delivered by Crispin Freeman, Senior Associate in Burges Salmon’s Pensions team and Marcus Clayden, Senior Associate in Burges Salmon’s Tech and Data team, along with guest speakers Lucy Stone, Policy Lead at the Pensions Regulator, and Jim Gee, National Head of Forensic Services at Crowe UK.

In terms of key take-home points for pension schemes:

1 – Cybercrime is a real risk for pension schemes 

Jim Gee covered the nature and extent of cybercrime today: fraud and cybercrime now account for over 50% of all crimes in the UK.

Pension schemes are attractive targets to cyber criminals due to the 'rich' personal data they control. In addition, the payment of pensions uninterrupted makes pension schemes, their administrators and third party suppliers potentially vulnerable to ransomware attacks. The statistics evidence this: there have been 158 breaches relating to the pensions sector reported to the ICO since the GDPR was introduced up to April 2020 - and at least 43 of these appear to have related to cybercrime. Clearly, cybercrime is a tangible risk in the pensions industry and this risk area must be prioritised by pension scheme trustees.

2 – Cybercrime is not a static risk

Our panel also highlighted the changing face of cybercrime. This is a rapidly and continuously evolving area, and therefore the importance of cyber security training for trustees was emphasised. Trustees must understand their responsibilities in relation to cyber security. They must also understand the key risks and what is in place to mitigate against those risks. It is vital that such training is given on a regular basis and is kept up-to-date in order to keep pace with the evolving cybercrime trends.

3 – It is not a case of “if” a cyber security incident occurs, but “when” – be prepared

The need for trustees to take a proactive approach to protecting members and assets against cyber risk was a key theme of the webinar. As affirmed in the webinar by Lucy Stone of TPR, it is no longer a case of "if" a cyber security incident occurs, but "when." The Pensions Regulator therefore expects trustees to prepare for "when" an attack takes place, which means putting in place a number of pre-emptive measures. Notably, TPR has issued a consultation today on its new combined code of practice, which now embeds the expectations for trustees and scheme managers in this area previously found in its guidance, elevating the status of those expectations.

Burges Salmon recommends that pension schemes take the following pre-emptive steps to ensure that they are ready to manage and mitigate the impact of a cyber security attack:

  • carry out a risk assessment to identify any weaknesses;
  • prepare an incident response plan to ensure that there is a clear, step-by-step plan to follow in the event of an incident;
  • prepare a section of the risk register to specifically record the scheme’s cyber risks and any steps taken to mitigate such risks (and ensure that this is reviewed regularly);
  • ensure that contracts with third party advisors such as such as administrators and investment managers are reviewed with a view to including appropriate cyber security clauses;
  • ensure that adequate cyber security training is in place for trustees and other key individuals; and
  • ensure that your insurance covers cyber security breaches.

It is important to note that it is not possible for pension schemes to be 100% cyber secure given the change of pace in cybercrime. Instead, pension scheme trustees and managers should focus on building “cyber resilience” within their schemes.

4 - Trustees cannot outsource responsibility for cyber risk 

Trustees are accountable for the security of scheme information and assets even when delegating or outsourcing the day-to-day functions of the scheme. Trustees cannot outsource their responsibility for cyber risk (though can take contractual steps to mitigate their risk). Where trustees are placing any reliance on a person or an organisation to assist with safeguarding against cyber risk, it is vital that the relevant person or organisation has the necessary expertise. The advantages of independent verification were also discussed.

In addition, trustees cannot automatically rely on any systems / processes that the scheme's sponsoring employer might have in place. Trustees themselves must be taking active steps to satisfy themselves that the members and assets of the scheme are protected against cybercrime.

5 – Practical guidance from PRAG and PASA can assist 

The Pension Administration Standards Association ("PASA") and The Pensions Research Accountants Group ("PRAG") have recently published updated guidance on cybercrime in the pensions industry. Our previous articles cover these in further detail:

Reflecting the seriousness of this risk for the pensions industry, PASA announced in July 2020 that it will be developing a new PASA Standard on Cybercrime as well as standalone Cybercrime Guidance.

A recording of the webinar will be available to watch on demand on our website shortly.

If you would like to explore this topic further with us, please contact your usual Burges Salmon contact or enquire via Alice Honeywill, Crispin Freeman, Susannah Young or Isabella Bentley. For specific queries on data protection and cyber security, David Varney or Marcus Clayden from our Tech & Data Team would be pleased to assist.