Cybercrime is a $7 trillion global industry and cyber criminals are constantly finding new and more sophisticated ways to attack. A UK Government survey on cyber breaches in 2018 found that 43% of businesses had experienced a cyber attack in the last 12 months – a sobering statistic. It is therefore not surprising that whenever I talk with Finance Directors, they invariably say that cybercrime is one of the key risks faced by their business. Cyber risk was also highlighted as an increasing concern by respondents to PTL’s quarterly risk survey.
So where does this leave pension schemes which, after all, are required to hold a considerable about of membership data and involve the payment and transfer of significant sums of money? Pension schemes are far from immune from the threat of cybercrime. Trustees should therefore not be complacent; they need to take steps to be fully equipped to react to daily and changing threats.
Most trustee boards will have considered the risk of cyber security in recent years. In line with guidance from The Pensions Regulator, I would expect to see cyber risk captured on pension schemes’ risk registers. Trustees will also have taken important steps to comply with the new GDPR requirements that came into effect one year ago on 25 May 2018, with an annual review of GDPR arrangements built in to pension scheme annual planners.
In many cases complying with GDPR has led to some significant changes in practice, such as the establishment of dedicated email addresses for trustees (rather than personal email addresses), and enhanced controls around sending and receiving important and sensitive information; for example, by secure websites and using two-factor authentication processes.
But cyber risk considerations can be much wider that this, and I would suggest that more work needs to be done. Trustees need to put in place cyber security policies and create incident response plans that are regularly tested and reviewed. Recognising that trustee boards do not necessarily have expertise in cyber security, this is an area where assistance and expertise from the sponsoring employer can be extremely helpful. War games and dry-run cyber attacks, putting contingencies into practice, can also play a critical part in testing the continuing robustness of cyber security provisions.
One year on from GDPR, now is the time for trustees to focus on the wider aspects of cyber security.