In December 2023 The Pensions Regulator (TPR) issued updated guidance for pension scheme trustees and scheme management on how to manage cyber risk to schemes. This was followed in February 2024 by a Regulatory Intervention Report on the Capita cyber security incident. The guidance and the report are designed to support trustees and scheme management to address the evolving nature of cyber risk in the pensions sector, and the increased targeting of schemes and third-party providers by cyber criminals.
What are TPR's expectations of trustees and scheme managers?
Trustees and scheme managers remain accountable for the security of pension scheme information and assets. This means understanding your scheme’s cyber risk, ensuring that organisations handling data or managing technology on your behalf have controls in place to reduce the risk of incidents occurring, and managing any incidents that arise.
The expectation is that risks, controls, and plans should be reviewed regularly and at least annually. Schemes should document the steps taken to confirm cyber security arrangements – be it their own and those of third parties – in order to demonstrate that governance obligations have been fulfilled.
Similar to the previous guidance, schemes should have access to specialist cyber security expertise. This could be resource provided by the employer or external advisers.
Following National Cyber Security Centre guidance
TPR is encouraging the largest and highest risk schemes, their advisers, and suppliers to fully meet the expectations set out in the National Cyber Security Centre (NCSC) 10 Steps to Cyber Security guidance. Smaller schemes and lower risk suppliers should at least consider the controls as set out in the NCSC’s small business guide on cyber security. The NCSC’s guidance is designed as an easy to implement set of steps covering key cyber security domains that promotes good cyber practice.
Ensuring controls are in place
TPR has set out the types of controls that it expects to be in place covering the key areas of prevention, detection, and incident response planning.
Preventing cyber security attacks
- Staff engagement and training: policies for device use, email, and internet, phishing awareness, and reporting incidents
- Data access and protection: encryption, use, and transmission controls in line with data protection requirements, records of scheme data and assets covering where these are held, transmitted, and stored, and backups of critical systems (including offline backups)
- Technical controls including alignment to the Cyber Essentials standard, user access controls, layered authentication such as Multi-Factor Authentication, secure configuration of devices, malware protection, regular vulnerability scanning, and penetration testing
Detecting incidents
Monitor systems and networks so incidents can be identified and responded to.
Incident response planning
Incident response plans should be developed to cover roles and responsibilities, procedures for responding to incidents, communication to members, and reporting to regulators.
Responding to incidents
Trustees and scheme management need ensure that an incident response plan is in place and that this is tested through internal exercises. This can be incorporated into the business continuity plan.
Consideration should be given to the plans of third parties handling data or managing technology for the scheme and the time to bring critical services back online in the event of disruption.
Communicating to members
Trustees and scheme management remain responsible for communicating to members and should be clear when this will happen. Consider planning to keep members informed during the investigation process.
Reporting
TPR are asking schemes, advisers, and providers to report significant cyber incidents on a voluntary basis as soon as reasonably practicable. This can be a partial report if the full incident report isn't available.
TPR's new Funding Code shows that covenant understanding is fundamental for schemes –regardless of funding position.
Pension schemes: Understanding of covenant still critical
How can you meet these expectations?
Understand relevant cyber security threats
Trustees and scheme management should keep up-to-date with cyber threats to the pensions sector and the different types of attacks that could impact schemes together with the likelihood of these occurring. Specialist cyber expertise or insight from the employer’s information security function can support with developing this knowledge and understanding.
Document data and assets
Map your data and assets, including where they are located and who has access, and ensure the restrictions and controls that protect it are clearly documented. Data Controllers must maintain a Record of Processing Activities under the UK GDPR, which covers key documentation requirements.
Ongoing supplier monitoring
The cyber security arrangements of suppliers should be reviewed regularly and at least annually. Internal controls reports and information security certifications should be checked where available and can be a good starting point where there's no or limited right to audit. Information security questionnaires issued to suppliers can provide additional verification of controls in place. For larger schemes on-site testing of arrangements may be appropriate.
Annually review and test plans and processes
Policies and procedures such as the information security policy, data protection policy, and business continuity plan should be reviewed annually to ensure that they reflect good practice and take into account emerging trends and cyber threats.
Build awareness among trustees, scheme management, and stakeholders
Implement a cadence of cyber security training to understand good practice in relation to cyber security and the approaches taken by other comparable schemes to managing cyber security risk. For staff this may also include regular online training modules and behavioural tests, such as receptiveness to phishing.
Put in place and test the incident response plan
Create an incident response plan that sets out roles and responsibilities and the steps to be followed in the event of an incident. Consider liaison with the employer if appropriate. Include aspects such as when insurers should be contacted and when to engage advisers such as lawyers and specialist incident response providers. Test the plan through tabletop simulations to identify any gaps.
Develop communication and reporting processes
Plan communications that may be required to members and other stakeholders in the event of a data breach and / or service disruption. Include multiple channels such as web, social media, and printed communications.
A look ahead
Trustees and scheme management should welcome this guidance as it focuses on addressing a number of cyber risk areas currently facing schemes and the sector more broadly – in particular cyber risk impacting the supply chain. Trustees and scheme management should monitor and assess suppliers for cyber risk, and ensure there are appropriate technical and organisational controls protecting scheme information and that planning is in place to respond to incidents. A proportionate and pragmatic approach to align to the requirements of the guidance can be achieved through following the NCSC’s tools and resources for making organisations cyber-secure.
For further information, get in touch with Charlotte Devlin or Luke Hartley.
