Publication
Grenfell Inquiry second report: bracing for change in the UK construction industry
On 4 September 2024, the long-awaited Grenfell Tower Inquiry: Phase 2 Report (the Grenfell Report) was published.
United Kingdom | Publication | June 2023
Pension scheme trustees have been aware of the need for cybersecurity for some time now. Cybersecurity means protecting your electronically secured data, and the IT systems used to process that data, from unlawful outside interference, access or use. At the time of the lockdown during the Covid pandemic, “conventional” crime was hugely reduced but the level of cybercrime exploded - that threat has not receded. In the 12 months ending September 2022, almost half of all crime committed was cybercrime or fraud. In the UK, organisations and individuals are now two and a half times more likely to suffer fraud or cybercrime than any other crime. In the same period, some 44 pension schemes reported successful cyber-attacks to the Information Commissioner’s Office (ICO).
The upshot is that trustees clearly need to be on their guard. In the pension scheme context, cybersecurity breaches can include:
What makes pension schemes such attractive targets, and therefore more vulnerable to a data breach?
Pension schemes are tempting targets to cybercriminals due to the rich source of personal data they control and process. Schemes are particularly vulnerable to ransomware attacks, since paying scheme benefits uninterrupted and as expected is crucial. Some are especially susceptible as they are not properly prepared for an attack. What are the potential impacts of a successful cyberattack? A breach can affect the financial and operational function of the scheme in the timely payment of benefits, it can have legal repercussions for the trustees in terms of fines and sanctions from the Regulator, and it can have adverse reputational consequences for the employer, trustees, advisers and administrator too. We have outlined below the specific types of cyber threat of which trustees should be aware.
Cybercriminals have various means of attempting to breach cybersecurity. They apply as much to pension schemes as to any other form of business:
Currently, one of the fastest growing cyber threats is the compromise of software at some point in the supply chain. The chain is only as strong as its weakest link, so it’s necessary to take effective measures to build resilience and raise standards right along it.
Next, we look at the essential steps to building resilience and raising standards in case of attack.
What do we mean by a pension scheme’s supply chain? Essentially, it’s anyone who manages, administers or advises the scheme. It will include the trustees, the sponsoring employer, the administrator, the lawyer, the actuary and any other advisers. It is important for every link in the scheme’s chain to manage and build resistance to attack.
First, as trustees you should address information security in your supply agreements. At the outset, you need to conduct due diligence in assessing the potential cyber risk and ensure that you understand the terms relating to security in any contracts with your advisers and administrators. Some of the questions to ask yourselves include:
The Regulator issued guidance on cyber security principles for pension schemes in 2018 and this still remains valid. In the draft General Code it also focuses on the management of IT systems more generally. Some of the Regulator’s expectations are examined more closely below.
The load of expectation from the Regulator may seem overwhelming, especially for smaller schemes, but the Regulator’s message is “don’t panic”. Cyber controls, it notes, are similar to any other form of internal control, although it recognises that it may feel different as cybercrime is constantly evolving and unfamiliar. Generally, cyber controls complement the trustees’ duties under data protection law in processing personal data. The Regulator has outlined specific expectations in terms of prevention, detection and response:
Here, we’ve taken extracts from the Regulator’s draft General Code and provided more detail from the guidance on the Regulator’s expectations of trustees in relation to cyber controls, IT system maintenance and business continuity. These apply for the scheme’s internal systems and for oversight of service provision from the scheme’s suppliers. Trustees are not expected to be experts themselves, but they are expected to understand the issues for discussion with their service providers and to ensure that their own systems are compliant.
Cyber controls
Maintenance of IT systems
Business continuity plan
We are seeing an increased focus on cyber risks and the rising presence of controls. Controls are more likely to be in place in larger schemes, which is understandable but small schemes still need to take a proportionate approach. The numbers of trustee bodies with the expected level of preparedness and resilience are growing but incident report plans are by no means universal. Administrators must be a key focus for trustees but the whole scheme environment and advisory chain should be considered, including individual trustees themselves, who are likely to work from home.
In its statement following a recent and well-publicised cyber security incident, the Regulator reminded trustees that they are responsible for the security of members’ data, and they should check whether their data could be affected. The incident shows the importance of having a robust cyber security and business plan in place.
Norton Rose Fulbright LLP has a dedicated Information Governance, Privacy and Cybersecurity team. We can help you with getting up to date on protecting your scheme’s systems and data, and we can also be there for you if a cybersecurity incident does occur. If you would like to know more, please get in touch with your usual Norton Rose Fulbright pensions contact.
Publication
On 4 September 2024, the long-awaited Grenfell Tower Inquiry: Phase 2 Report (the Grenfell Report) was published.
Publication
On 3 September 2024, the ECJ delivered its judgment in Illumina’s appeal against the General Court’s (GC) judgment confirming the European Commission’s (EC) powers to review concentrations under the EU Merger Regulation (EUMR) in circumstances where no Member State has jurisdiction under national law.
Publication
One of the driving forces of the ‘fourth industrial revolution’ - AI- has the potential to redefine and disrupt industries worldwide. The MENA insurance industry is no exception, offering a unique landscape for AI adoption characterised by significant challenges and opportunities. Middle East Insurance Review spoke to Norton Rose Fulbright’s Ms Shabnam Karim and Messrs Shiv Daddar, Simon Lamb and Marcus Evans to find out more.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2023