People working at computer

Cyber security guidance for Trustees

The Pensions Regulator issued guidance in April 2018 for Trustees on ‘Cyber Security Principles for Pension Schemes’.

Jim Gee
People working at computer
The guidance states Trustees and scheme managers, need to take proactive steps to protect members and assets against cyber threats.

In addition, the Pensions Research Accountants Group (PRAG) also published its guide 'An Overview of the Effects of Cybercrime on Pension Schemes'. This aims to provide guidance to pension scheme Trustees and pension sector organisations that support them and their advisors, about the holistic protection that is needed to minimise the damage caused by cybercrime. The PRAG guide builds on TPR;s recommendations.

Jim Gee, Partner and Head of Forensic, Cyber and Counter Fraud Services at Crowe UK, Visiting Professor and Chair of the Centre for Counter Fraud Studies at University of Portsmouth and a member of the PRAG Data Protection and Cyber Security Working Group, says:

"Cybercrime is a fact of life, together with fraud representing almost half of all crime in the UK. It is a continuously evolving phenomena, akin to a clinical virus, and is undertaken by sophisticated criminal enterprises. Pension schemes have rich seams of data which beneficiaries expect will be properly protected. PRAG's guide describes how Trustees can assess their vulnerability and put in place proportionate protection. At Crowe we have developed a Pension Funds Cyber Vulnerability Survey to help Trustees and those supporting Trustees assess how to approach this risk."

In order to help you identify what actions you need to take to reduce the risk of cybercrime to your pension scheme, Crowe has developed the Pension Funds Cyber Vulnerability Survey which can be accessed here.

The Office for National Statistics (ONS) reveals that 4.7 million cyber and fraud offences took place in the 12 months up to September 2017, equating to 44% of all crime. The government’s Cyber Security Breaches Survey for 2017 showed 46% of organisations in the UK had cyber breaches in the previous 12 months, increasing to 68% in large organisations.

Guidance from PRAG

It is perfectly possible that despite their security, an organisation will suffer a cyber breach. If a breach occurs it is important to have a range of measures in place to manage, investigate and mitigate the damage which may be caused. To avoid reputational and financial damage, making sure that pension schemes and pensions sector organisations that support pension schemes have the capacity to prepare for, and recover from a breach, should be a priority for Trustees. While 100% protection is not possible, it is possible to mitigate the legal and financial impact of a breach by minimising compliance failures and so reducing fines. The PRAG guidance covers areas such as explaining cybercrime in its many forms, the legal and regulatory expectations, how to respond and pre-emptive actions. The PRAG guidance is available to PRAG members via the PRAG website. If you are not already a member of PRAG, anyone can join via the PRAG website.

TPR guidance

TPRs guidance sets out good practice which can be adopted proportionately to the profile of the pension scheme. Key aspects of TPRs guidance are as follows:
  • Roles and responsibilities should be clearly defined, assigned and understood.
  • Trustees should have access to the required skills and expertise to understand and manage the cyber risk in the scheme.
  • Trustees should ensure sufficient understanding of the cyber risk; the scheme’s key functions, systems and assets, its ‘cyber footprint’, vulnerabilities and impact.
  • Cyber risk should be on the risk register and regularly reviewed.
  • Trustees should ensure sufficient controls are in place to minimise the risk of cyber incident, around systems, processes and people.
  • Trustees should gain assurance that all third party suppliers have put sufficient controls of their own in place.
  • There should be an incident response plan in place to deal with incidents and enable the scheme to swiftly and safely resume operations. This includes understanding third party suppliers’ incident response processes.
  • Trustees should be clear on how and when incidents would be reported to them and others, including regulators.
  • Cyber risk is complex and evolving, and requires a dynamic response. Controls, processes and the response plan should be regularly tested and reviewed.
Eddie Hodgart, Risk Director at Crowe says: "One of the fundamental principles of GDPR for pension arrangements is that Trustees need to ensure pension members’ personal data is safe and secure. Managing cyber risk effectively is therefore a critical aspect of meeting Trustees’ GDPR requirements".

What you need to do

Trustees should consider the TPR guidance and may find the PRAG guidance helpful when considering their approach to cyber risk. Crowe’s Pension Funds Cyber Vulnerability Survey can also be a useful tool to help you identify areas for development. If you would like to discuss these matters or require assistance in strengthening your cyber risk approach please get in touch with your usual Crowe contact, Jim Gee or Eddie Hodgart.  
Jim Gee
Jim Gee
Consultant, Forensic Services