How are pension trustees dealing with cyber security & data protection following the pandemic?
The recent cyber incident that impacted Capita’s systems on 31 March 2023 is a timely reminder for all pension trustees/trustee boards to take stock of their IT security and data protection policies. The loss of personal member data from a cyber-attack or denial of services through disruption to systems can be costly to members through the inability to settle benefits or pay pensions and to trustees through potential fines from the Information Commissioner’s Office (ICO) or The Pensions Regulator (TPR).
This is an area that may not have been a priority during/following the pandemic, whilst pension trustee boards get back to operating as normal. The increase in homeworking as a result of the pandemic has potentially heightened the risks of cyber incidents and data beaches occurring.
Although Capita is still investigating the cyber incident and has recently commented there is some evidence of limited data exfiltration, trustees should remain vigilant to the risk of cyber-attacks or data breaches.
Regulatory requirements
Pension trustees, as Data Controllers, have a legal duty under the UK General Data Protection Regulation (GDPR) to have ‘appropriate technical and organisational measures’ in place to process data securely. This security principle extends to the processing of data by each of a pension scheme’s Data Processors. A cyber security policy setting out cyber risks and the management of those risks is therefore the bare minimum required that trustees need to put in place.
TPR requires trustees to build cyber resilience into their systems to protect members against cyber risk. TPR’s guidance on cyber security requires trustees to assess and understand the risks, put controls in place and monitor and report on those risks and controls. Following the Capita cyber incident, TPR has urged pension trustee boards to understand the potential cyber risks faced by their scheme and put in place appropriate measures to assess and manage cyber risk.
If a cyber incident or data breach occurs, regulations require Data Controllers to take immediate action and report matters to the ICO (within 72 hours), TPR and affected members without delay. However, to do so, trustees will need policies and procedures in place.
Practical steps to cyber security
In practice, what should pension trustees be doing?
- assess and understand your Scheme’s ‘cyber footprint’ and any vulnerabilities
- Ensure the roles and responsibilities of Trustees and Scheme managers are clearly defined and known
- Add cyber risk to your Scheme’s risk register and review it regularly
- Test your systems and your cyber incident policies at least on an annual basis
- Have back up plans in place e.g. in relation to the operation of pensioner payroll
- Ensure your Data Processors have robust internal controls in place to deal with cyber incidents and data breaches
- Put in place and test your incident response plan so that any cyber incidents or data breaches can be dealt with and how / when operations can resume
- Ensure reporting deadlines and processes are known so that any incidents can be reported
- Record cyber incidents and data breaches so action can be taken to mitigate, reduce and learn from them
- Undertake regular training for all staff to understand cyber risks and as new regulations or guidance is introduced.
Future guidance
TPR’s new General Code of Practice (currently in draft) introduces a new module relating to Cyber Controls. These internal controls form part of the Code and sit alongside the Effective System of Governance (ESOG) that Trustees need to have in place and demonstrate compliance with. This new Code is expected to be published soon.
How can Vidett help?
We can help you review your existing cyber security policies to ensure they are appropriate and meet the requirements of the forthcoming General Code of Practice.
