It is well established that pension schemes hold vast amounts of personal data and assets on digital platforms, which make them attractive targets for cyber criminals. Trustees and scheme managers have an ongoing obligation to take steps to mitigate against any cyber threat and to protect their members and assets as far as possible.
Earlier this year, as a result of increasing threats faced by pension schemes, the Information Commissioner’s Office (the “ICO”) released a comprehensive report (the “Report”) which focused on the steps and measures that should be taken by organisations (including trustees) in order to bolster cyber security within pension schemes. The Report can be accessed by following the link here.
The Report emphasised the need for enhanced security for pension schemes, noting that there is no single solution due to the increasing sophistication of cyber threats, but that a multi-faceted approach to increasing cyber security was required in order to best protect the pension scheme members and assets. The Report focused on several key threats to pension schemes and identified the most common causes for cyber breaches as phishing, brute force attacks, denial of service, errors and supply chain attacks. Each of these was explored in detail and the Report provides examples and some key principles to consider when trying to reduce the risk of harm from a security breach, based on previous experience.
The Report also mentioned that malware and ransomware continued to lead as one of the most common types of cyber breach, but as the ICO had previously issued separate guidance on this, the Report did not expand on this within this Report.
Key themes throughout the Report
The Report highlights the importance of understanding the cyber-related threats that pension schemes face and it serves as a call to action for trustees to take steps to reduce these risks. The key recommendations within the report are:
- Strengthening data protection policies;
- Implementing advanced cyber security technologies (such as multi-factor authentication);
- Regular security audits and testing (including use of ethical hackers to simulate attacks and uncover any security gaps);
- Enhanced staff training and awareness on cyber security;
- Developing an incidence response plan; and
- Engaging with cyber security experts to understand and mitigate against ever-evolving security threats.
In our view, the theme throughout the Report is clear - the ICO’s guidance is to strengthen data protection policies and clearly document schemes’ incidence response plans. This position reflects the updated cyber guidance issued by the Pensions Regulator (the “TPR”) in December 2023 and the requirements set out in the Pensions Regulator’s General Code of Practice published earlier this year. This clearly demonstrates a shift in industry expectations, as there are consistent calls for proactive steps to be taken to protect against threats to cyber security.
How can we help?
Burges Salmon have prepared a Cyber Security Package offering which meets the minimum the cyber security expectations for the trustees mentioned within the Report. You can find out more information in our Cyber Security Compliance Checklist here.
If you would be interest in finding out more about our Cyber Security Package, or if you have any queries about wider cyber security measures for pension schemes, please contact Richard Pettit or Samantha Howell.
"Over the last decade more of our personal information has moved into the digital world and we have continued to empower people and organisations to improve their security by issuing up-to-date guidance and advice."