With Recent Breaches as a Warning, Experts Stress the Importance of Robust Cybersecurity Practices for Pension Schemes.
In the wake of cyber attacks on major organisations, including the March 2023 breach at Capita by the Black Basta ransomware group, trustees and pension managers are being urged to recognise cyber threats as one of the most significant risks to the security of pension schemes.
Wake-Up Call for Pension Schemes
Around 90 organisations, including pension giants like USS and Axa, reported personal information breaches affecting millions of pensions policyholders. This has served as a wake-up call for schemes, highlighting the vulnerability of personal data and the importance of addressing third-party risks in the digital age.
Preparedness is Key
Cyber vulnerabilities extend beyond administrators, and experts emphasise the inevitability of cyber attacks in the digital world. Roseanne Corbett, client director at Muse Advisory, stresses that it's not a matter of 'if' but 'when' a cyber incident will occur. The focus should be on being prepared, well-equipped to respond, recover, and resilient in the aftermath of an attack.
Trustees' Responsibilities Clarified
The new TPR general code outlines the roles and responsibilities of trustees regarding cyber risk management. Effective governance requires measures to reduce cyber risk, helping trustees comply with data protection legislation and potentially reducing liabilities in case of a breach.
Mitigating Risks Through Accreditation
Girish Menezes, head of administration at Isio, suggests external accreditations such as Cyber Essentials Plus, ISO 27001, and ISO 27031 to reassure on IT security and resilience. These certifications can play a crucial role in safeguarding sensitive financial data and securing retirement futures.
Proactive Measures: Incident Response Plans
While acknowledging that cyber risk cannot be completely mitigated, experts advocate for proactive action, starting with the development of an Incident Response Plan (IRP). The IRP is designed to guide trustees in swiftly resuming scheme operations following a cyber incident, covering data breaches and other events affecting operations.
Human Error and Training
Given that 95% of cyber breaches stem from human error, training staff is imperative. Trustees should work with third-party cyber experts to conduct specialised training tailored to the pension scheme's nuances, ensuring staff are aware of potential risks and how to mitigate them.
Oversight of Third Parties
Third parties, especially administrators, present a significant risk for schemes. Trustees need to actively manage and oversee these providers, asking the right questions and ensuring adherence to GDPR requirements. Lack of understanding and oversight expose trustees to potential risks within the supply chain.
Proactive Risk Management
Experts stress the benefits of proactive cyber protection, not only in reducing the likelihood of an event but also in limiting impacts when they occur. Being proactive during a breach is critical to protecting the reputation and brand perception of trustee boards and parent companies.
A Call for Industry Commitment
Girish Menezes concludes that by weaving cybersecurity into the fabric of pension operations, the industry can exemplify its commitment to data integrity, earning the trust of beneficiaries and fortifying the foundation of secure retirement planning.
A message from our sponsors, The Ideas Distillery:
If you would like to look at how to implement an ISO 27001 information security management system, then simply contact us.
Or, if you want to see what's involved in more detail, then get a completely free, no obligation, totally tailored ISO Gap Analysis for your business (only available to UK businesses).
Comments