Cybercrime is big business and it’s growing. Is your scheme adequately protected in the event of an attempted cyberattack? Our publication Taking action on pension scheme cybersecurity
set out the main cyber threats and outlined the steps that trustees could and should take to protect their schemes’ and members’ interests.
It should be read in conjunction with this note. This briefing looks at the Regulator’s draft General Code
and its recent statement
in response to a highly publicised pensions data breach and sets out some actions trustees should consider taking to protect their schemes from this increasing risk.
Cybersecurity – why is it essential?
Pension scheme trustees have been aware of the need for cybersecurity for some time now. Cybersecurity means protecting your electronically secured data, and the IT systems used to process that data, from unlawful outside interference, access or use. At the time of the lockdown during the Covid pandemic, “conventional” crime was hugely reduced but the level of cybercrime exploded - that threat has not receded. In the 12 months ending September 2022, almost half of all crime committed was cybercrime or fraud. In the UK, organisations and individuals are now two and a half times more likely to suffer fraud or cybercrime than any other crime. In the same period, some 44 pension schemes reported successful cyber-attacks to the Information Commissioner’s Office (ICO).
The upshot is that trustees clearly need to be on their guard. In the pension scheme context, cybersecurity breaches can include:
- Hackers gaining access to trustees’ or administrators’ computer systems.
- The introduction of a virus or malware.
- Human error by someone processing data incorrectly – for instance, by sending member details to the wrong email address.
What makes pension schemes such attractive targets, and therefore more vulnerable to a data breach?
The attraction of pension schemes as targets
Pension schemes are tempting targets to cybercriminals due to the rich source of personal data they control and process. Schemes are particularly vulnerable to ransomware attacks, since paying scheme benefits uninterrupted and as expected is crucial. Some are especially susceptible as they are not properly prepared for an attack. What are the potential impacts of a successful cyberattack? A breach can affect the financial and operational function of the scheme in the timely payment of benefits, it can have legal repercussions for the trustees in terms of fines and sanctions from the Regulator, and it can have adverse reputational consequences for the employer, trustees, advisers and administrator too. We have outlined below the specific types of cyber threat of which trustees should be aware.
What are the principal forms of cyber threat?
Cybercriminals have various means of attempting to breach cybersecurity. They apply as much to pension schemes as to any other form of business:
- Phishing – this is social engineering to gain access to systems or to deploy malware via email. Spear phishing is an attempt to trick an individual into divulging sensitive information, such as usernames and passwords, by sending a personalised email. This is better targeted and thus can be more dangerous than a generic email sent to large numbers of people used in ordinary phishing attacks.
- Ransomware – here, malicious software is applied to block access to systems and data until a ransom payment is made.
- Distributed Denial of Service (DDoS) – the website or system is bombarded with emails or requests in order to overload and thus disrupt service.
- Cybercrime-as-a-Service – anyone can participate in cybercrime if they’re willing to pay for the means on the dark web. Hackers no longer need special coding skills, or to develop their own malicious software. A “menu” of services is available as a sophisticated organised crime model for those looking to mount an attack.
- Artificial intelligence - AI can be used to increase the automation, speed, frequency and efficiency of attacks. Machine learning offers a huge opportunity to target organisations.
Currently, one of the fastest growing cyber threats is the compromise of software at some point in the supply chain. The chain is only as strong as its weakest link, so it’s necessary to take effective measures to build resilience and raise standards right along it.
Next, we look at the essential steps to building resilience and raising standards in case of attack.
Your scheme’s supply chain - how to increase its resilience to attack
What do we mean by a pension scheme’s supply chain? Essentially, it’s anyone who manages, administers or advises the scheme. It will include the trustees, the sponsoring employer, the administrator, the lawyer, the actuary and any other advisers. It is important for every link in the scheme’s chain to manage and build resistance to attack.
First, as trustees you should address information security in your supply agreements. At the outset, you need to conduct due diligence in assessing the potential cyber risk and ensure that you understand the terms relating to security in any contracts with your advisers and administrators. Some of the questions to ask yourselves include:
- Do the agreement’s security provisions reflect any external consultants’ personal data and the broader confidentiality requirements of the scheme?
- Is the accountability under GDPR and the Regulator (of which, more below) covered?
- How are threats to be reported in the governance, reporting and risk registers? Is it clear whose responsibility such reports are?
- How are incident reporting and remediation dealt with?
- What happens on termination of the contract? A smooth and safe handover to a new supplier is essential, without the scheme being exposed to any new risks.
The Regulator issued guidance on cyber security principles for pension schemes in 2018 and this still remains valid. In the draft General Code it also focuses on the management of IT systems more generally. Some of the Regulator’s expectations are examined more closely below.
Some reassurance from the Regulator
The load of expectation from the Regulator may seem overwhelming, especially for smaller schemes, but the Regulator’s message is “don’t panic”. Cyber controls, it notes, are similar to any other form of internal control, although it recognises that it may feel different as cybercrime is constantly evolving and unfamiliar. Generally, cyber controls complement the trustees’ duties under data protection law in processing personal data. The Regulator has outlined specific expectations in terms of prevention, detection and response:
- Policies should include clear roles and responsibilities on data, devices, detecting and reporting breaches. Ensure that cyber risk is on the risk register and regularly reviewed.
- Systems should have up-to-date technical controls in place, such as firewalls, anti-virus and anti-malware. Regular back-ups should be made of critical systems and data and trustees should satisfy themselves that service providers’ controls are up to date.
- Skill and knowledge are the first line of defence. Staff should be trained regularly and have their levels of awareness tested, for example, with phishing tests. Trustees should maintain their awareness of developments by using the National Cyber Security Centre’s (NCSC) advisories or by joining their information sharing partnership.
- Know what normal system activity looks like and monitor it for suspicious activity.
- Regularly assess the vulnerability of your system and key service providers.
- Know what data you hold and where it is held.
- Receive regular reports from staff on cyber risks and assess your resilience.
- Log digital processing activity and consider keeping an audit trail of operations as a source of investigation in case of a cyber incident.
- It is critical to have a robust cyber incident response plan and test it.
- As a minimum, prioritise services covering pensioner payments, retirement processing and bereavement services.
- Ensure elements of your infrastructure can be shut down to prevent problems like malware spreading. Only bring them back online when you’re confident it’s safe to do so.
- Use the NCSC’s approved incident response provider toolkit for support in event of a breach.
- Comply with obligations to report to the Regulator and the ICO.
- Consider your communications to members and the support you can offer them.
Some more detail on the Regulator’s draft General Code: expectations on cyber controls, the maintenance of IT systems and business continuity
Here, we’ve taken extracts from the Regulator’s draft General Code and provided more detail from the guidance on the Regulator’s expectations of trustees in relation to cyber controls, IT system maintenance and business continuity. These apply for the scheme’s internal systems and for oversight of service provision from the scheme’s suppliers. Trustees are not expected to be experts themselves, but they are expected to understand the issues for discussion with their service providers and to ensure that their own systems are compliant.
- “satisfy themselves with service providers’ controls” – read and probe your suppliers’ policies. It’s sometimes difficult to judge what you might need later at the time of signing the contract, but there may be some available expertise lying with the scheme employer. Are you clear which policies and controls the agreement is subject to – the customer’s or the supplier’s?
- “take action so that policies and controls remain effective” – do the agreements include any continuous improvement obligations and, if so, to what standard. Are any changes to policies subject to notification, consultation or approval?
- “receive regular reports on cyber risks and incidents” – trustees are reliant on their provider ensuring that testing is taking place under the supplier contract. They should understand what to ask for in terms of evidence that appropriate testing is being carried out.
- “maintain a cyber incident response plan in order to safely and swiftly resume operations” – the trustees’ and provider’s obligations don’t stop at having reported an incident. Remedial actions in terms of addressing issues should feed into the scheme’s continuity plan.
Maintenance of IT systems
- “IT systems … [should be] reviewed and updated regularly” “[have a] schedule for the system to be replaced or updated” – what are the arrangements and obligations for continuous improvement? Are there specific timeframes for technology refreshing and updating, for instance when tax thresholds change?
- “Record evidence of how changes are planned and executed within the system” – trustees should ensure that their service providers are able to demonstrate how they meet the Regulator’s requirements in maintaining the IT system at times of operational change.
- “[have a] written policy…for maintaining, upgrading and replacing hardware and software” – what obligation is there on the provider to maintain its policies and procedures? Are there requirements for notification, consultation or approval before any changes are made?
- “evidence that the IT system can meet the current and anticipated physical system requirements” - are there minimum specifications under the contract, and any provision for continuous improvement?
Business continuity plan
- “ensure continuity and regularity in performance” – are there overarching obligations and sufficient resources in terms of personnel and systems?
- “ensure advisers and service providers also have a business continuity plan” – is this covered in the service agreement. If so, is it the provider’s standard plan or bespoke to the scheme? Is it tested on a regular basis?
- “choose how to rely on reports and information” – be clear on what information and reporting is required. What obligations are there to act on test outcomes?
- “roles and responsibilities” – these should be set out within the business continuity plan, with roles being agreed. Are there arrangements to co-operate with other providers? The plan should dovetail with any others.
- “prioritise scheme activities” – where does the scheme fall in the hierarchy of other schemes served by the same provider? Who sets this priority?
- “contingency…to mitigate any under resource” – consider any potential spikes in activity. For instance, once dashboards come online, there is likely to be a flurry of requests and queries from members. Does the provider have sufficient resources to cope?
The current cyber environment
We are seeing an increased focus on cyber risks and the rising presence of controls. Controls are more likely to be in place in larger schemes, which is understandable but small schemes still need to take a proportionate approach. The numbers of trustee bodies with the expected level of preparedness and resilience are growing but incident report plans are by no means universal. Administrators must be a key focus for trustees but the whole scheme environment and advisory chain should be considered, including individual trustees themselves, who are likely to work from home.
In its statement following a recent and well-publicised cyber security incident, the Regulator reminded trustees that they are responsible for the security of members’ data, and they should check whether their data could be affected. The incident shows the importance of having a robust cyber security and business plan in place.
Norton Rose Fulbright LLP has a dedicated Information Governance, Privacy and Cybersecurity team. We can help you with getting up to date on protecting your scheme’s systems and data, and we can also be there for you if a cybersecurity incident does occur. If you would like to know more, please get in touch with your usual Norton Rose Fulbright pensions contact.