As cyber incidents continue to increase, the pensions industry continues to be under pressure to be vigilant and take action against the significant scale of the cyber security threat. On 28 November 2024, Burges Salmon hosted a webinar to address key cyber risk issues through the lens of pension schemes. 

Our panel of speakers discussed what action pension schemes should take to build their cyber resilience, focusing on two key themes: managing your suppliers and understanding your cyber risk. The panel was made up of You Yu (The Pensions Regulator, Policy Delivery Lead), Paul McGlone (Aon, Partner) and Samantha Howell (Burges Salmon, Senior Associate and Cyber Governance Lead), with partner Richard Pettit (Burges Salmon, Partner) chairing and quizzing the panel with relevant questions.

This update summarises the key takeaways from the webinar. 

THE PENSIONS REGULATOR’S EXPECTATIONS

You Yu from The Pensions Regulator commented that “while trustees and the pension industry have been aware of the cyber risk for a while, the Capita incident that occurred last year really made it real for many people.”

Therefore, to better support trustees, especially those managing smaller schemes, The Pensions Regulator’s guidance on cyber security has been updated with practical tips for schemes to build cyber resilience.

One of the points she drew out as being important to remember is that “trustees are accountable for the security of scheme information and assets, even though, in practice, this may be delegated.”  Trustees need to ensure that those handling data have appropriate cyber controls to reduce, detect, and respond to cyber incidents.

She also emphasised that The Pensions Regulator wants to “work with the industry to ensure savers are adequately protected” and encouraged trustees, their advisers and providers to “report significant cyber incidents to [TPR] on a voluntary basis, in an open and co-operate way”. 

It is clear that cyber security is an ongoing and inevitable issue for schemes to deal with and prepare for and, when asked which areas trustees should consider as their first priority, Yoyo mentioned that it would be appropriate for trustees to assess the cyber risk to their scheme and seek assurances from the parties which handle the scheme’s data. She said that it is also important to consider how prepared the scheme is to handle a cyber security incident (although she noted that there is a degree of proportionality to this depending on scheme size and type). 

Another interesting point made was that The Pensions Regulator’s expectations in this area are the same for scheme managers of public service pension schemes, emphasising that there is a legal requirement for public service schemes to establish and operate internal controls that include measures to manage cyber risk. 

MANAGING YOUR SUPPLIERS

Provider reviews

Paul McGlone from Aon spoke about trends he was seeing when it comes to provider reviews, including that there has been a notable surge in the number of provider reviews being conducted by schemes as a part of due diligence and there is closer scrutiny over former providers who still retain scheme data. 

In terms of carrying out provider reviews in a cost effective way, Paul commented that “we’re seeing more schemes joining forces and doing combined reviews of providers.”  In the past 12 months, Aon’s own cyber review team have done about a dozen “multi-scheme” reviews where they approach a provider on behalf of multiple schemes at the same time and share the cost.

Following the review, trustees must decide on the appropriate actions such as the adoption of Multi-Factor Authentication, changes in cyber insurance policies or updates to data retention policies. However, the importance of actions depends on the provider's current cyber maturity, with larger organisations generally having stronger controls in place. Paul also noted that comparing and contrasting providers and their approach to Multi-Factor Authentication and whether they out-source IT support can help trustees make informed decisions. 

Third party contracts

Samantha Howell from Burges Salmon talked about the need for trustees to review third party contracts. She commented that “Pension scheme trustees have a number of really important third party contracts. It’s important to consider the data protection and cyber security provisions within those contracts because ultimately the trustees remain data controllers and therefore responsible for what their data processors (including pension scheme administrators) do with members’ personal data.”

Earlier in the webinar, You Yu had confirmed that trustees should be considering all of their suppliers. Samantha pulled out some third party contracts to consider as priorities from a legal perspective – acknowledging that trustees may not be in a position to review all providers at once – which were: 

  1. Scheme administration contracts: the most obvious starting point is to consider the relevant provisions in the contract with your scheme administrator as they are the key party holding and processing personal data and paying pensions.
  2. Contacts with investment managers: as “cyber security is wider than just personal data” and they are dealing with significant amounts of scheme assets. 
  3. Buy-in contracts: if you have bought in some benefits with an insurer who then has access to a lot of your data and is working in an administrative role, have you thought about your data protection and cyber security provisions in that buy-in contract?

Samantha went on to summarise the key contractual terms to look out for when it comes to cyber security, which she considers to be:  

  1. Best practice industry guidelines: Third parties should be contractually obligated to follow best practice industry guidelines – a reluctance to comply with this is a red flag. 
  2. Costs of a cyber incident: It is important to understand “whether a third party will be ‘on the hook’ for any costs trustees incur as a direct result of a cyber incident that they suffer”.  Even if they are not, trustees should be aware of this. 
  3. Provisions on termination: Provisions on data handling upon contract termination must be understood, particularly if a former adviser who was a data processor would become a data controller on termination as this could have unintended consequences. 

Supply chain risks

Pension schemes often rely on a network of third-party providers, from software suppliers to reinsurers, making them vulnerable to supply chain disruptions. Limited visibility and informed interrogation of the supply chain are common blind spots however, recent incidents, such as the CrowdStrike and MoveIt incidents, underscore the importance of managing these risks.

Paul McGlone commented that while it isn’t possible to avoid supply chain risk it is also difficult to effectively manage it. In practice, Paul’s view is that what scheme can do, and should do, is as their providers how they manage relationships and risks with subcontractors and sub-processors.

Pension schemes can mitigate risks by ensuring their suppliers are diligent in managing their own suppliers by keeping clear documentation, accountability for incident reporting, and understanding where liability lies. 

UNDERSTANDING YOUR CYBER RISKS

Cyber insurance and impact assessments 

Paul McGlone reflected on the 2023 Capita cyber incident, stating that “At the time it felt disastrous, but looking back I’d question whether it was really that bad. In the end no pensions data that we’re aware of was sold on the dark web. No pensioner didn’t get paid. Systems were down only for a short period. No scheme got fined. No scheme paid a ransom. And for most schemes Capita paid the majority of communication and fraud monitoring costs. In short, it could have been an awful lot worse.” 

Paul is now seeing schemes ask themselves how much worse it could have been, which is resulting in them evaluating their cyber “Value at Risk" (VaR), akin to investment risk assessments. Schemes can estimate the potential cost of a major cyber incident and then decide on what to do about this. 

One option now available is to consider obtaining cyber insurance and, if so, at what level. Paul noted that cyber insurance policies for pension schemes have only recently started to exist – until now, this option wasn’t available as any cyber insurance would have been aimed at corporates previously. 

Legal privilege

Samantha Howell also spoke about legal privilege and why it is important to understand this in a cyber security context before a cyber incident takes place. She explained that “in a nutshell, legal privilege protects (written or oral) confidential communications between a lawyer and a client for the purpose of giving or receiving legal advice.”

She explained that the importance of privilege lies in its ability to keep sensitive documents and communications protected, allowing trustees to work through issues in a 'safe space' without the risk of public disclosure. A potentially vital protection during breach responses, trustees should consider legal privilege in advance of cyber incidents occurring as a form of protection in case of court cases or regulatory investigations down the line. 

Samantha explained that it was important for trustees to “know about legal privilege before a live incident takes place so that they can make an informed decision about whether to instruct lawyers from the outset (as privilege cannot be applied retrospectively).” Making an informed decision involves understanding what the consequences could be – i.e. be prepared for the worst case scenario, which is sensitive documents being disclosed publicly. 

Summary of key takeaways 

The key takeaways from the webinar were: 

  1. The Pensions Regulator’s expectations:
    1. Trustees are accountable for the security of scheme information and assets.
    2.  Cyber controls must be in place, regularly reviewed, and updated.
    3. Trustees should understand the digital presence of all parties involved and the vulnerability of scheme critical functions.

       
  2.  Managing your suppliers: 
    1. Trustees remain data controllers and are responsible for what data processors do with members’ personal data.
    2. Reviews should be proportionate to the role of the provider.
    3. Limited visibility into supply chains and insufficient tools to evaluate suppliers' cyber security are common issues.

 

  1. Understanding your cyber risks 
    1. Assessing the risk and potential impact of cyber threats is crucial.
    2. Understand the coverage and limitations of cyber insurance policies.
    3. Involve a legal team early in the incident response to benefit from legal privilege.

Webinar on-demand

An on-demand recording of the webinar is available here: Webinar: Cyber Risk for Pension Schemes

If you would like to explore this topic further with us, please contact your usual Burges Salmon contact or enquire via Samantha Howell or Richard Pettit who would be pleased to help you.