Cybersecurity for UK pension schemes – where are we now?
Cybercrime is big business, and it’s growing.
This Nortonrosefulbright sourced briefing looks at the
- Regulator’s draft General Code
- A recent statement in response to a highly publicised pensions data breach sets out some actions trustees should consider to protect their schemes from this increasing risk.
- Also, this briefing should be read in conjunction with the following paper Nortonrosefulbright Publication, Is your scheme adequately protected in the event of an attempted cyberattack?
Cybersecurity – why is it essential?
- Pension scheme trustees have been aware of the need for cybersecurity for some time now. Cybersecurity means protecting your electronically secured data, and the IT systems used to process that data from unlawful outside interference, access or use.
- At the time of the lockdown during the Covid pandemic, “conventional” crime was hugely reduced, but the level of cybercrime exploded - that threat has not receded. I
- n the 12 months ending September 2022, almost half of all crime committed was cybercrime or fraud. In the UK, organisations and individuals are now two and a half times more likely to suffer fraud or cybercrime than any other crime. In the same period, some 44 pension schemes reported successful cyber-attacks to the Information Commissioner’s Office (ICO).
- The upshot is that trustees clearly need to be on their guard. In the pension scheme context, cybersecurity breaches can include:
- Hackers gain access to trustees’ or administrators’ computer systems.
- The introduction of a virus or malware.
- Human error by someone processing data incorrectly – for instance, by sending member details to the wrong email address.
What makes pension schemes such attractive targets and more vulnerable to a data breach?
- The attraction of pension schemes as targets
- Pension schemes are tempting targets to cybercriminals due to the rich source of personal data they control and process. Schemes are particularly vulnerable to ransomware attacks since paying scheme benefits uninterrupted and as expected is crucial. Some are especially susceptible as they are not properly prepared for an attack.
- What are the potential impacts of a successful cyberattack?
- A breach can affect the financial and operational function of the scheme in the timely payment of benefits, it can have legal repercussions for the trustees in terms of fines and sanctions from the Regulator, and it can have adverse reputational consequences for the employer, trustees, advisers and administrator too. We have outlined below the specific types of cyber threat of which trustees should be aware.
What are the principal forms of cyber threat?
- Cybercriminals have various means of attempting to breach cybersecurity. They apply as much to pension schemes as to any other form of business:
- Phishing – this is social engineering to gain access to systems or to deploy malware via email. Spear phishing is an attempt to trick an individual into divulging sensitive information, such as usernames and passwords, by sending a personalised email. This is better targeted and thus can be more dangerous than a generic email sent to large numbers of people used in ordinary phishing attacks.
- Ransomware – here, malicious software is applied to block access to systems and data until a ransom payment is made.
- Distributed Denial of Service (DDoS) – the website or system is bombarded with emails or requests in order to overload and thus disrupt service.
- Cybercrime-as-a-Service – anyone can participate in cybercrime if they’re willing to pay for the means on the dark web. Hackers no longer need special coding skills, or to develop their own malicious software. A “menu” of services is available as a sophisticated organised crime model for those looking to mount an attack.
- Artificial intelligence - AI can be used to increase the automation, speed, frequency and efficiency of attacks. Machine learning offers a huge opportunity to target organisations.
- Currently, one of the fastest growing cyber threats is the compromise of software at some point in the supply chain. The chain is only as strong as its weakest link, so it’s necessary to take effective measures to build resilience and raise standards right along it.
- Next, we look at the essential steps to building resilience and raising standards in case of attack.
- Your scheme’s supply chain - how to increase its resilience to attack
- What do we mean by a pension scheme’s supply chain? Essentially, it’s anyone who manages, administers or advises the scheme. It will include the trustees, the sponsoring employer, the administrator, the lawyer, the actuary and any other advisers. It is important for every link in the scheme’s chain to manage and build resistance to attack.
First, as trustees you should address information security in your supply agreements.
- At the outset, you need to conduct due diligence in assessing the potential cyber risk and ensure that you understand the terms relating to security in any contracts with your advisers and administrators. Some of the questions to ask yourselves include:
- Do the agreement’s security provisions reflect any external consultants’ personal data and the broader confidentiality requirements of the scheme?
- Is the accountability under GDPR and the Regulator (of which, more below) covered?
- How are threats to be reported in the governance, reporting and risk registers? Is it clear whose responsibility such reports are?
- How are incident reporting and remediation dealt with?
- What happens on termination of the contract? A smooth and safe handover to a new supplier is essential, without the scheme being exposed to any new risks.
- The Regulator issued guidance on cyber security principles for pension schemes in 2018, which remains valid.
- The draft General Code also focuses on the management of IT systems more generally.
- Some of the Regulator’s expectations are examined more closely below.
Some reassurance from the Regulator
- The load of expectation from the Regulator may seem overwhelming, especially for smaller schemes, but the Regulator’s message is “don’t panic”.
- Cyber controls, it notes, are similar to any other form of internal control, although it recognises that it may feel different as cybercrime is constantly evolving and unfamiliar.
- Generally, cyber controls complement the trustees’ duties under data protection law in processing personal data. The Regulator has outlined specific expectations in terms of prevention, detection and response:
- Policies should include clear roles and responsibilities on data, devices, detecting and reporting breaches. Ensure that cyber risk is on the risk register and regularly reviewed.
- Systems should have up-to-date technical controls in place, such as firewalls, anti-virus and anti-malware. Regular back-ups should be made of critical systems and data and trustees should satisfy themselves that service providers’ controls are up to date.
- Skill and knowledge are the first line of defence. Staff should be trained regularly and have their levels of awareness tested, for example, with phishing tests. Trustees should maintain their awareness of developments by using
- the National Cyber Security Centre’s (NCSC) advisories or
- by joining their information sharing partnership.
- Know what normal system activity looks like and monitor it for suspicious activity.
- Regularly assess the vulnerability of your system and key service providers.
- Know what data you hold and where it is held.
- Receive regular reports from staff on cyber risks and assess your resilience.
- Log digital processing activity and consider keeping an audit trail of operations as a source of investigation in case of a cyber-incident.
- It is critical to have a robust cyber incident response plan and test it.
- As a minimum, prioritise services covering pensioner payments, retirement processing and bereavement services.
- Ensure elements of your infrastructure can be shut down to prevent problems like malware spreading. Only bring them back online when you’re confident it’s safe to do so.
- Use the NCSC’s approved incident response provider toolkit for support in event of a breach.
- Comply with obligations to report to the Regulator and the ICO.
- Consider your communications to members and the support you can offer them.
Some more detail on the Regulator’s draft General Code: expectations on cyber controls, the maintenance of IT systems and business continuity
- Here, we’ve taken extracts from the Regulator’s draft General Code and provided more detail from the guidance on the Regulator’s expectations of trustees in relation to cyber controls, IT system maintenance and business continuity.
- These apply to the scheme’s internal systems and to oversight of service provision from the scheme’s suppliers.
- Trustees are not expected to be experts themselves, but they are expected to understand the issues for discussion with their service providers and to ensure that their own systems are compliant.
- “Satisfy themselves with service providers’ controls” – read and probe your suppliers’ policies. It’s sometimes difficult to judge what you might need later at the time of signing the contract, but there may be some available expertise lying with the scheme employer. Are you clear which policies and controls the agreement is subject to – the customer’s or the supplier’s?
- “Take action so that policies and controls remain effective” – do the agreements include any continuous improvement obligations and, if so, to what standard. Are any changes to policies subject to notification, consultation or approval?
- “Receive regular reports on cyber risks and incidents” – trustees are reliant on their provider ensuring that testing is taking place under the supplier contract. They should understand what to ask for in terms of evidence that appropriate testing is being carried out.
- “Maintain a cyber-incident response plan in order to safely and swiftly resume operations” – the trustees’ and provider’s obligations don’t stop at having reported an incident. Remedial actions in terms of addressing issues should feed into the scheme’s continuity plan.
Maintenance of IT systems
- “IT systems … [should be] reviewed and updated regularly” “[have a] schedule for the system to be replaced or updated” – what are the arrangements and obligations for continuous improvement? Are there specific timeframes for technology refreshing and updating, for instance when tax thresholds change?
- “Record evidence of how changes are planned and executed within the system” – trustees should ensure that their service providers are able to demonstrate how they meet the Regulator’s requirements in maintaining the IT system at times of operational change.
- “[Have a] written policy…for maintaining, upgrading and replacing hardware and software” – what obligation is there on the provider to maintain its policies and procedures? Are there requirements for notification, consultation or approval before any changes are made?
- “Evidence that the IT system can meet the current and anticipated physical system requirements” - are there minimum specifications under the contract, and any provision for continuous improvement?
Business continuity plan
- “Ensure continuity and regularity in performance” – are there overarching obligations and sufficient resources in terms of personnel and systems?
- “Ensure advisers and service providers also have a business continuity plan” – is this covered in the service agreement. If so, is it the provider’s standard plan or bespoke to the scheme? Is it tested on a regular basis?
- “Choose how to rely on reports and information” – be clear on what information and reporting is required. What obligations are there to act on test outcomes?
- “Roles and responsibilities” – these should be set out within the business continuity plan, with roles being agreed. Are there arrangements to co-operate with other providers? The plan should dovetail with any others.
- “Prioritise scheme activities” – where does the scheme fall in the hierarchy of other schemes served by the same provider? Who sets this priority?
- “Contingency…to mitigate any under resource” – consider any potential spikes in activity. For instance, once dashboards come online, there is likely to be a flurry of requests and queries from members. Does the provider have sufficient resources to cope?
The current cyber environment
- There is an increased focus on cyber risks and the rising presence of controls.
- Controls are more likely to be in place in larger schemes, which is understandable but small schemes still need to take a proportionate approach.
- The numbers of trustee bodies with the expected level of preparedness and resilience are growing but incident report plans are by no means universal.
- Administrators must be a key focus for trustees, but the whole scheme environment and advisory chain should be considered, including individual trustees themselves, who are likely to work from home.
- In its statement following a recent and well-publicised cyber security incident,
- The Regulator reminded trustees that they are responsible for the security of members’ data, and they should check whether their data could be affected.
- The incident shows the importance of having a robust cyber security and business plan in place.
Meet the team of industry experts behind ComsureFind out more
Keep up to date with the very latest news from ComsureFind out more
View our latest imagery from our news and workFind out more
Think we can help you and your business? Chat to us todayGet In Touch
As well as owning and publishing Comsure's copyrighted works, Comsure wishes to use the copyright-protected works of others. To do so, Comsure is applying for exemptions in the UK copyright law. There are certain very specific situations where Comsure is permitted to do so without seeking permission from the owner. These exemptions are in the copyright sections of the Copyright, Designs and Patents Act 1988 (as amended)[www.gov.UK/government/publications/copyright-acts-and-related-laws]. Many situations allow for Comsure to apply for exemptions. These include 1] Non-commercial research and private study, 2] Criticism, review and reporting of current events, 3] the copying of works in any medium as long as the use is to illustrate a point. 4] no posting is for commercial purposes [payment]. (for a full list of exemptions, please read here www.gov.uk/guidance/exceptions-to-copyright]. Concerning the exceptions, Comsure will acknowledge the work of the source author by providing a link to the source material. Comsure claims no ownership of non-Comsure content. The non-Comsure articles posted on the Comsure website are deemed important, relevant, and newsworthy to a Comsure audience (e.g. regulated financial services and professional firms [DNFSBs]). Comsure does not wish to take any credit for the publication, and the publication can be read in full in its original form if you click the articles link that always accompanies the news item. Also, Comsure does not seek any payment for highlighting these important articles. If you want any article removed, Comsure will automatically do so on a reasonable request if you email firstname.lastname@example.org.