Pension Funds Cyber Vulnerability Survey
Organisations that hold certain types of data such as personal, identity, financial and/or intellectual property, are particularly attractive to cyber criminals. In addition to the threat posed by cyber criminals, data breaches may be the result of administrative errors.
Organisations have a duty to maintain data security and detedemor and prevent cybercrime. A cybercrime/data protection incident can result in reputational damage, financial loss, public embarrassment as well as subsequent fines from the Information Commissioners Office. If found at fault, organisations can face significant fines .
Effective risk management requires that Trustees are aware of the risks their Scheme face and understand how risks are being managed. Risk management should be proportionate and sufficient. Pension schemes hold high volumes of personal data which is potentially attractive and valuable to cyber criminals. This makes pension schemes potentially vulnerable to cybercrime, for example through the use of ransom ware, malicious hacking attacks and fraud. Trustees should consider what arrangements they and their service providers have in place to protect their data, as far as possible, and to be able to act to recover and mitigate the legal and reputational consequences if attacks do occur.
Governance
Cyber risk should be managed like other areas of risk. There should be periodic risk assessments to assess, evaluate and manage cyber risks.
Consideration should be given to how the Trustees identify the Scheme’s cyber risks, how frequently the risks are updated, and who is responsible for managing the risks.
Cyber risk management practices should take into account the Scheme’s access to cybersecurity capabilities, the target level of cyber protection required by the Trustees, and the plan to improve and maintain cyber protection.
Trustees are legally obliged to ensure appropriate controls are in place, including those surrounding cybercrime risks.
Trustees are legally obliged to ensure appropriate controls are in place, including those surrounding cybercrime risks.
Schemes should consider how cyber risks are measured and communicated internally, and how risks are prioritised and mitigation measures implemented.
Identify
For example member information, financial information, bank accounts and investment assets.
Schemes hold sensitive information, personal identification data, financial / payment data which is attractive to cyber criminals.
This will include considering arrangements that the outsourced providers have in place such as third party administrators, payroll providers, buy in providers, bank, scheme investment managers and custodians. In addition other advisers such as the Scheme actuary, auditor, investment adviser and legal adviser.
It is important that everyone understands their role in protecting the Scheme from cybercrime – using strong passwords, periodic changing of passwords, logging out of systems when not in use.
Protect
The Cyber Essentials plus standard was developed by Government and industry. It defines a set of IT controls which, when properly implemented, provides organisations with basic protection from the most prevalent forms of threats coming from the internet. Further details are available on: https://www.gov.uk/government/publications/cyber-essentials-scheme-overview
Penetration testing should be undertaken periodically to test the effectiveness of a scheme's cybercrime protection defences. This will involve liaison with all key providers.
Investment in cybercrime protection should be proportionate to the risk – both financial and reputational – to the Scheme and employer.
Detect
Trustees should liaise with the employer, outsourced service providers and scheme advisers ensuring there are
systems in place to detect abnormal activity such as:
- anomalous activity on the Scheme’s systems.
- irregular behaviour by users on websites.
- abnormal external service provider activity.
Respond
Having a plan in place will ensure the Scheme can respond quickly and effectively. The plan should be documented and communicated to all in house teams and outsourced providers.
Schemes that fail to observe the correct protocols may encounter problems that may prevent discovery of what happened, and compromise the Scheme’s ability to mitigate adverse consequences.
Recover
Having a plan in place will ensure the Scheme can respond quickly and effectively. The plan should be documented and communicated to all in house teams and outsourced providers.
The Information Commissioner's Office (ICO) has the power to investigate and levy fines in the event of a personal data breach. The General Data Protection Regulation comes into force in May 2018, along with significant fines.
A public relations plan should set out how the Scheme and employer would respond to negative publicity in the event of a cyber breach, and also how members would be notified in the event of a breach of their personal data.
For example, the nature of the attack, how the attack was identified, responded to, and recovered from?