Pension Funds Cyber Vulnerability Survey

Organisations that hold certain types of data such as personal, identity, financial and/or intellectual property, are particularly attractive to cyber criminals. In addition to the threat posed by cyber criminals, data breaches may be the result of administrative errors.

Organisations have a duty to maintain data security and detedemor and prevent cybercrime. A cybercrime/data protection incident can result in reputational damage, financial loss, public embarrassment as well as subsequent fines from the Information Commissioners Office. If found at fault, organisations can  face significant fines .

Effective risk management requires that Trustees are aware of the risks their Scheme face and understand how risks are being managed. Risk management should be proportionate and sufficient. Pension schemes hold high volumes of personal data which is potentially attractive and valuable to cyber criminals. This makes pension schemes potentially vulnerable to cybercrime, for example through the use of ransom ware, malicious hacking attacks and fraud. Trustees should consider what arrangements they and their service providers have in place to protect their data, as far as possible, and to be able to act to recover and mitigate the legal and reputational consequences if attacks do occur.

Please fill in the fields from above.

Governance

1. Are cyber risks integrated into normal risk management procedures/risk register?

Cyber risk should be managed like other areas of risk. There should be periodic risk assessments to assess, evaluate and manage cyber risks.

2. Do the Trustees have a process in place to identify and manage the Scheme’s cyber risks?

Consideration should be given to how the Trustees identify the Scheme’s cyber risks, how frequently the risks are updated, and who is responsible for managing the risks.

3. Do the Trustees understand the Scheme’s cyber risk management practices?

Cyber risk management practices should take into account the Scheme’s access to cybersecurity capabilities, the target level of cyber protection required by the Trustees, and the plan to improve and maintain cyber protection.

4. Have the Trustees considered how cyber risks affects their legal obligations.

Trustees are legally obliged to ensure appropriate controls are in place, including those surrounding cybercrime risks.

5. Have the Trustees assessed whether the Scheme's cyber security ensures compliance with current data protection legislation and future compliance with General Data Protection Regulation?

Trustees are legally obliged to ensure appropriate controls are in place, including those surrounding cybercrime risks.

6. Is a process in place for communicating and reporting cyber risks?

Schemes should consider how cyber risks are measured and communicated internally, and how risks are prioritised and mitigation measures implemented.

Please answer all the questions.

Identify

7. Have the Trustees identified the information, data and assets essential to the Scheme?

For example member information, financial information, bank accounts and investment assets.

8. Have the Trustees identified what sensitive information is held?

Schemes hold sensitive information, personal identification data, financial / payment data which is attractive to cyber criminals.

9. Have the Trustees identified the key operations, IT systems and information flows vulnerable to cybercrime?

This will include considering arrangements that the outsourced providers have in place such as third party administrators, payroll providers, buy in providers, bank, scheme investment managers and custodians. In addition other advisers such as the Scheme actuary, auditor, investment adviser and legal adviser.

10. Do those involved with the Scheme have an awareness of cyber risk and do the Trustees monitor this awareness?

It is important that everyone understands their role in protecting the Scheme from cybercrime – using strong passwords, periodic changing of passwords, logging out of systems when not in use.

Please answer all the questions.

Protect

11. Does the Scheme meet the Cyber Essentials plus standard?

The Cyber Essentials plus standard was developed by Government and industry. It defines a set of IT controls which, when properly implemented, provides organisations with basic protection from the most prevalent forms of threats coming from the internet. Further details are available on: https://www.gov.uk/government/publications/cyber-essentials-scheme-overview

12. Have the Trustees tested the strength of the Scheme's IT systems, processes and procedures for cybercrime protection?

Penetration testing should be undertaken periodically to test the effectiveness of a scheme's cybercrime protection defences. This will involve liaison with all key providers.

13. Have the Trustees established the cost of implementing the necessary level of cybercrime protection?

Investment in cybercrime protection should be proportionate to the risk – both financial and reputational – to the Scheme and employer.

Please answer all the questions.

Detect

14. Do the Trustees have monitoring processes and procedures to detect a cybercrime attack?

Trustees should liaise with the employer, outsourced service providers and scheme advisers ensuring there are systems in place to detect abnormal activity such as:
- anomalous activity on the Scheme’s systems.
- irregular behaviour by users on websites.
- abnormal external service provider activity.

Please answer all the questions.

Respond

15. Is there a plan in place to respond to a cybercrime breach?

Having a plan in place will ensure the Scheme can respond quickly and effectively. The plan should be documented and communicated to all in house teams and outsourced providers.

16. Is there a plan in place to investigate a cybercrime breach?

Schemes that fail to observe the correct protocols may encounter problems that may prevent discovery of what happened, and compromise the Scheme’s ability to mitigate adverse consequences.

Please answer all the questions.

Recover

17. Are data systems and important data backed-up on a regular basis?

Having a plan in place will ensure the Scheme can respond quickly and effectively. The plan should be documented and communicated to all in house teams and outsourced providers.

18. Is there a plan in place to ensure there is appropriate correspondence with the Information Commissioners Office in response to a cybercrime breach, to mitigate a response by the Information Commissioners Office and if appropriate communicate with members?

The Information Commissioner's Office (ICO) has the power to investigate and levy fines in the event of a personal data breach. The General Data Protection Regulation comes into force in May 2018, along with significant fines.

19. Is there a plan in place to manage public relations in the event of a cybercrime breach?

A public relations plan should set out how the Scheme and employer would respond to negative publicity in the event of a cyber breach, and also how members would be notified in the event of a breach of their personal data.

20. Is there a review process to learn lessons from any cybercrime attack?

For example, the nature of the attack, how the attack was identified, responded to, and recovered from?

Please answer all the questions.
Your report is currently generated...