The Pension Protection Fund (PPF) has released a statement in the last week confirming that some of its current and former employees’ data have been exposed in the wake of a cyber-incident targeting Go Anywhere, a third-party data transfer service.  The statement details that, once the PPF became aware of the cyber-attack (which took place last month), the PPF stopped using Go Anywhere and began an investigation into the potential data breach.  Thankfully, the PPF have been able to assure current members and levy payers that none of their data has been involved in the breach. However, unfortunately, some of the organisation’s current and former employees’ data has been compromised.

The growing number of cyber-attacks in recent years across large and established platforms and organisations in the financial services sector, including national advice firm Succession Wealth, illustrates why the Pension Regulator has regularly used the mantra that pension schemes should prepare for ‘when’ rather than ‘if’ a cyber-attack occurs for some time now.

Having in place a robust cyber security policy, effective and ongoing training and a documented business continuity plan, amongst other measures, all help to reduce the risk that a cyber-incident occurs in the first place.  In the same way that you might look to protect your house from a burglary by installing high-specification locks, CCTV and alarms – rather than leaving the front door open – having these safeguards in place helps to deter cyber criminals from attacking your pension scheme in the first place.

Whilst it is possible – and indeed best practice – for pension schemes to build their cyber resilience to reduce the risk that a cyber-incident occurs, it is unfortunately impossible to eliminate that risk altogether. The attack on Go Anywhere illustrates this unhappy reality, demonstrating that a cyber-attack can happen to any organisation of any size, even one with sophisticated barriers in place. In these circumstances, what will matter is how you react in the face of a cyber-attack. That being said, this cyber-attack demonstrates that no matter how good your scheme’s process is for reacting to such an incident, you should also be asking the right questions of your third party suppliers to make sure that their processes are also appropriate and effective.

Trustees and pension scheme providers should be prioritising both preventative (‘blue hat’) and reactive (‘red hat’) measures, as having a robust plan in place in the event that a cyber-incident does occur is as crucial as protecting your scheme in the first place.  Trustees and providers should therefore ensure that they have developed a well-thought-through incident response plan and carry out regular training and practice ‘drills’ or ‘war games’ to ensure that they know who to contact and how to respond in the face of a cyber-attack.

On 20 April 2023, Burges Salmon are hosting a webinar exploring the ‘red hat’ and ‘blue hat’ measures which trustees and sponsoring employers should be considering.  During the roundtable discussion which features external speakers, Daniel Sibthorpe from Crowe’s National Forensic Services Team and Vanessa Roberts, a Professional Trustee from IGG, we will also launch our Cyber Security Package which contains checklists, policies and documents to help trustees and providers manage cyber risk.

The webinar will be of interest to all trustees, pension advisers and employers.  If you are interested in joining, please register here.

This blog was written by Samantha Howell and Scarlett Sullivan.