Current cyber risk
The risk of suffering a cyberattack is, at this time, high. In 2022, 39% of UK businesses identified a cyberattack, a figure that is said to be underreported, and 21% of those attacks were said to be more sophisticated in nature, such as those involving the use of malware, ransomware or denial of service (DoS) attacks.
Articles in Pensions Age and European Pensions in Autumn 2023 highlighted research which concluded that there had been a 4,000% increase in reported cyber security breaches by UK pension schemes in 2022/23 compared with 2021/22. This huge increase in attacks targeting pension schemes is likely because they:
- Usually have several third-party suppliers involved in the running of schemes
- Hold large volumes of highly sensitive personal information which is rarely backed up in duplicate data files with a different entity e.g. the sponsoring employer
- Hold large volumes of financial information for the payment of pensions
- Hold significant assets.
It's also important to remember that it isn't just the cyber risks facing your own network and security controls that can affect your organisation and its data. We have seen in the past few months a big increase in supply chain attacks by threat actor groups. For example, the Capita breach, and the more recent MOVEit file transfer software vulnerability that was exploited by the Cl0p ransomware group. This particular file transfer software was used by many suppliers to larger organisations, including those in the pensions sector, who hold a significant amount of personal data.
TPR updates to cyber security requirements
The TPR's new General Code builds upon the statutory requirements of Section 249A of the Pensions Act 2004 for trustees or managers of an occupational pension scheme to establish and operate an effective system of governance including internal controls, along with expanding on existing TPR guidance on cyber security.
The General Code, amongst other things, states that governing bodies of occupational pension schemes must:
- Understand cyber risk, including having clearly defined roles and responsibilities to identify cyber risks and breaches, and to respond to cyber incidents
- Consider accessing specialist skills and expertise to understand and manage the risk
- Understand the need for confidentiality, integrity and availability of the systems and services for processing personal data, and the personal data processed within them
- Ensure cyber risk is on the risk register and regularly reviewed
- Assess, at appropriate intervals, the vulnerability to a cyber incident of the scheme’s key functions, systems and assets (including data assets) and the vulnerability of third party service providers involved in the running of the scheme and their ability to deal with cyber incidents
- Receive regular reports from staff and service providers on cyber risks and incidents
- Ensure appropriate system controls are in place and are up to date (eg firewalls, anti-virus and anti-malware products) and that critical systems and data are regularly backed up
- Keep policies for the use of devices, and for home and mobile working
- Keep policies and controls on data in line with data protection legislation (including access, protection, use and transmission)
- Keep policies dealing with the report of breaches to the Information Commissioner
- Keep a cyber incident response plan in order to safely and swiftly resume operations
- Have regard to the Regulator's recently updated guidance on cyber security when assessing the suitability of their existing arrangements.
What should you do?
In light of the increased risk of cyberattacks and focus on cyber security by the TPR, it is more important than ever to ensure that you have sufficient systems and controls to appropriately manage cyber risk. With this in mind, we would encourage all of our pensions clients to take the opportunity now to assess their current cyber security posture, including assessing the adequacy of systems and controls of service providers, and their data and cyber security policies that are in place.
How can we help?
We are specialists in cybersecurity law and have a dedicated team of cyber risk advisors from the insurance and data sectors who can help prepare you for incidents, minimise risks and manage exposures. We offer a comprehensive service from proactive prevention to post-incident management and investigations. Go to our cyber risk page for more information on how Womble Bond Dickinson can help protect you and your business from cyber risks through our two-pronged pre-emptive measures and post-breach response approach.