Pensions Cybersecurity in review - 2024: A Year of Reform

It’s hard to ignore how cybersecurity in the pensions industry has been subject to rapid regulatory reform in the last year or so, particularly following the 2023 Capita breach. After all, regulators must ensure that regulation applicable within an area is appropriate; to achieve this for an area that is always developing, reform (whether substantial or minimal, widespread or targeted) is always likely to be on the horizon. However, with the Pensions Regulator’s (“TPR”) updated Cyber Security Principles (“Cyber Principles”) and the final version of the new General Code published on 11 December 2023 and 28 March 2024, respectively, they will be hoping that substantial, widespread reform within the area will not be necessary for a while.

With these reforms having both been published since the start of November 2023, it has never been more important for trustees to understand their cyber obligations. This article provides an overview of the key obligations implemented by both reforms.

1. TPR’S cyber principles

On 11 December 2023, TPR published their updated “Cyber security principles for pension schemes”. This was the first time the principles had been updated since their inception in April 2018.

Due to the sea change in the area since 2018, the Cyber Principles effectively constitutes a completely new approach and principles. Whilst lots of the same topics are covered, the approaches taken and level of detail within them vary significantly. Throughout the Cyber Principles and General Code, TPR refers to “trustees and scheme managers” and the “governing body”, respectively – for brevity, however, we will refer just to “trustees”.

Below, we provide a quick takeaway for what is expected of trustees, followed by a more comprehensive dive into the obligations, within the Cyber Principles.

Quick overview of trustee obligations

The Cyber Principles provides that trustees are “accountable for the security of scheme information and assets”, regardless of whether others handle the data and technology separately. At the very core, trustees must “ensure that your scheme is administered and managed within the requirements of the law, including data protection legislation”.

To meet this obligation, the Cyber Principles state that trustees must:

1. understand their scheme’s “cyber risk”,
2. ensure those in charge of handling data have the appropriate “controls in place to reduce the risk of incidents occurring and their impact”, and
3. manage any incidents that do occur.

In-depth analysis of the trustee obligations

Whilst a useful overview, the above, of course, lacks the necessary clarity in order for trustees to comply with the Cyber Principles with confidence. The remainder of the document, therefore, puts some ‘meat on the bones’ of these core trustee obligations. These include:

1. Regular Review. Cybersecurity is a constantly evolving area. Accordingly, TPR requires trustees to regularly review (ie. “at least annually and more frequently if there are substantial changes to your scheme’s operations”) the controls that they have in place.
2. Using experts when appropriate. TPR are appreciative that many trustees will lack the necessary expertise to implement appropriate cyber controls. Therefore, they state that some schemes “may need to seek specialist advice”, whilst others could call on their scheme employer for advice and expertise.
3. How to work with others. The Cyber Principles are keen to emphasise that trustees “should not assume your suppliers and those handling or managing systems… have taken the required steps. You remain accountable”. Accordingly, trustees should seek to have “Open, transparent and collaborative” working relationships wherever possible. This relationship might involve receiving “regular, plain English reports” on cyber risks.
4. Assess cyber risk and include in your risk register. To have a comprehensive risk register, TPR suggest that trustees understand…
   1. their “cyber footprint” (including that of their sponsoring/participating employer(s), members and advisors),
   2. “who holds what data, and how and where it flows”. It is not only member data that is relevant here. Trustees should also monitor data held in relation to investments and instructions to advisors, for example,
   3. the monetary value of data held,
   4. how the scheme is vulnerable, including “whether accidental or intentional and caused by internal or external actions”, and
   5. “the potential impact of a cyber incident” on members, the scheme and (potentially) the scheme employer. The impact may be operational, reputational or financial.
5. Ensuring controls are in place. These controls relate to “people, processes and technology and [must] be proportionate to your cyber risk”.
6. Staff engagement and training. Staff should “receive training relevant to their role as often as required” (including on phishing awareness and how to use devices, emails and the interest) and be educated on the “well-defined lines of responsibility and accountability” for IT systems and processes.
7. Testing of vulnerabilities. The Cyber Principles explain that “it may be appropriate to seek independent security testing, including penetration testing”, or at least to use the NCSC’s free online cyber security tool to check for common vulnerabilities.
8. Responding to an issue. The document acknowledges that cyber risks cannot be avoided absolutely. Therefore, TPR are keen for schemes to respond appropriately to any cyber issue. Namely, schemes should…
   1. have “clear processes for staff to report cyber risks and incidents, and be able to do so confidently”,
   2. have a “plan which sets out how to respond to a cyber incident”, which is properly designed and maintained. Amongst our cybersecurity package is an incident response plan, which we would be happy to discuss in further detail. The plan may be “a stand-alone plan or part of your business continuity plan”,
   3. consider how an incident would impact their “core services” (include pension payments and bereavement services). The document states that any such services “ideally” become available within 24 hours, and
   4. communicate promptly with members (potentially before the precise details and implications of the attack is known), address any concerns they have, and keep them updated regarding any investigation.
9. Reporting an incident. Within the document, TPR ask that schemes “report significant cyber incidents to us on a voluntary basis, in an open and co-operative way, as soon as reasonably practicable”. For clarity, a “significant cyber incident” is one that is likely to “result in a significant loss of member data, major disruption to member services, [or] a negative impact on a number of other pension schemes or pension scheme providers”. Any such report should be made to report@TPR.gov.uk and potentially the ICO. This is another way in which we can assist, as we have extensive experience of filing such reports.

2. TPR’S new general code (cybersecurity takeaways)

On 10 January 2024, TPR released the new General Code – which brings together the previously ten separate Codes of Practice into one go-to document for trustees to ensure compliance with TPR’s rules. Whilst cybersecurity is an important aspect of the General Code, it is different from the Cyber Principles in that the General Code focuses also on other areas of pension scheme trusteeship. The General Code is expected to take effect from 27 March 2024.

One theme to note throughout the General Code’s input on cybersecurity is that the scheme must take schemes that are “proportionate to the size, nature, scale, and complexity of [its] activities”.

To note, the sections most relevant to cybersecurity are “Risk Management” and “Cyber Controls” topics – both of which we delve into below.

Risk Management: Identifying, evaluating and recording risks

As put in the General Code itself, by complying with this sub-topic, schemes will be able to “determine which risks require internal controls to be put in place to reduce their incidence and impact”. There are three stages to this:

1. Identifying: risks including the likes of trustees and members falling victim to phishing emails or leaking their IT details via other means, should be identified.
2. Evaluating: the scheme should take steps to understand both the likelihood of the risk, and the impact it would have should it occur.
3. Recording: any record of a risk should be “reviewed regularly” and “key risks” should be recorded in a risk register.

Risk Management: Internal risk

This sub-topic revolves around how to minimise (or as the Cyber Principles put it, “manage”) risk identified in the above sub-topic. Of course, cybersecurity is bound to be one such risk identified.

This is a serious obligation on schemes, as demonstrated by the statement in the General Code that “A persistent failure to put internal controls in place could be a cause of an administrative breach”, and could even require the scheme to “submit a breach of law report” (if the failure is “of material significance”). Equally, though, TPR are keen to emphasise that even the most comprehensive set of internal controls “is not infallible”, and in particular “will not eliminate error or fraud from pension schemes”.

Schemes should note that, regardless of any delegation of their powers, the “legal responsibility for internal controls always rests” with the trustees. To meet this legal responsibility, schemes should consider:

1. “how the control will be implemented”, and whether the person implementing the control has the skills to do so effectively;
2. whether the control will “prevent… or merely detect” the risk identified; and,
3. whether professional advice may be a proportionate step to mitigate this risk.

As always, it is then important for the scheme to maintain these controls, for example by regularly considering the performance of the controls and considering whether it might be appropriate to obtain “independent or third-party assurance about [the effectiveness of the] controls”.

Risk Management: Scheme continuity

As above, TPR are appreciative that a scheme can never completely eradicate the risk of an issue occurring. Therefore, the General Code provides that trustees “should develop and implement continuity plans to ensure that their scheme operations can be maintained, in the event of a disruption to scheme activities”. Amongst the particulars of this obligation is that trustees should…

1. “seek to ensure that the performance of scheme activities are continuous and regular”,
2. “have a resilient business continuity plan (BCP) that sets out key actions, in case of a range of events occurring that impact the scheme’s operations”,
3. “set out roles and responsibilities within the plan”, to ensure that those that should be contacted in the event of an issue are contacted as soon as possible, and
4. “regularly review process documents and maps”, in particular the BCP.

Cybercontrols

Whilst tangentially relevant throughout the Risk Management section of the General Code, this is where TPR set their cyber-specific provisions. First-off, though, the General Code defines cyber risk as “the risk of loss, disruption, or damage to a scheme or its members, because of the failure of its information technology systems and processes”.

The General Code then takes a similar approach to the above when dictating how trustees should deal with cyber risks – firstly, by providing how to assess cyber risks, and, secondly, how to manage the cyber risks that have been assessed.

1. Assessing: this can be done by having “clearly defined roles and responsibilities to identify cyber risks and breaches”, ensuring that any cyber risks on the risk register are “regularly reviewed”, using experts where appropriate, and having the likes of “firewalls, anti-virus, and anti-malware products” in place.
2. Managing: for example, by ensuring that “critical systems and data are regularly backed up”, having policies for how to use devices and technology (in the workplace, from home and working on-the-go), and maintaining a “cyber incident response plan in order to safely and swiftly resume operations” (ie. a BCP that is specific to cyber risks).

3. TPR's capita intervention report

It is also important to note TPR’s Intervention Report regarding the Capita breach of March/April 2023.

The incident posed significant risks, including potential data breaches and service disruptions. TPR worked closely with Capita to assess and mitigate these risks, and the report provides their reflections on the incident and response to it. This is summarised below (for detailed analysis of the report, please see our separate blog here).

1. Immediate Response: TPR emphasises that, after the incident, their “immediate focus was to ensure pensioners and other beneficiaries were able to receive pension payments on time”. Capita were able to promptly confirm that no pension payments were delayed.
2. Communication: TPR states that “prompt communication should be prioritised so members are informed and can take steps to protect themselves as soon as possible”. To achieve this, TPR encourages schemes to consider using the affected administrator’s template wording (rather than contemplating their own bespoke wording which may mean that communicating with members takes longer).
3. Regulatory Actions: TPR acknowledges that it does “not have direct regulatory grip over administrators”. This is despite it being accepted by TPR that administrators “are a key service provider to trustees and pension schemes, and we work to influence the best possible outcome” for savers. With this in mind, TPR appear to be eager to expand its influence over administrators. TPR plans to enhance its oversight of administrators and collaborate with the Pensions Administration Standards Association (PASA) to improve standards.
4. Impact for Trustees: The Intervention Report demonstrated the importance of administrators in the cyber security of a pension scheme. Trustees must therefore be aware of the cyber security policies of their administrator and query any apparent shortfalls of the policies.

4. Recent TPR intervention note

We are aware of one instance where TPR contacted a trustee board to note a cyber incident at the sponsoring employer. The main query from TPR was in regard to the scheme’s readiness for such a cyber incident, such as their policies and procedures. In this instance, the trustee board had in place appropriate policies and procedures, and were able to provide these to TPR who were satisfied with the documents. However, had the scheme not been prepared, TPR may have taken action against the scheme and trustees – despite there not having actually been a breach of the scheme’s security.

This goes to show not only the importance of preparation and that it is not only the scheme’s cyber security that is relevant, but also that TPR appear to be actively monitoring cyber incidents in their regulation of the pensions industry – including of sponsoring employers.

5. ICO’s updated cyber security report

On 10 May 2024, the Information Commissioner's Office (ICO) released a comprehensive report addressing the rising cyber threats to pension schemes. Key recommendations include:

1. Strengthening Data Protection: Implement robust data protection policies.
2. Advanced Security Technologies: Use multi-factor authentication and other advanced technologies.
3. Regular Audits: Conduct frequent security audits and testing, including ethical hacking.
4. Staff Training: Enhance staff awareness and training on cyber security.
5. Incident Response Plans: Develop and document clear incident response plans.
6. Expert Engagement: Work with cyber security experts to stay ahead of evolving threats.

The ICO’s updated report noted that malware and ransomware remain amongt the most prevalent types of cyber breaches – with the NSCC’s Annual Review 2024 highlighting this too, in light of attacks on Synnovis which disrupted the NHS services.

Overall, the ICO’s report underscored the need for a multi-faceted approach to protect pension schemes from sophisticated cyber attacks. See our blog post on this topic here.

6. The rise of artificial intelligence

Artificial Intelligence (AI) is already making an impact on cyber security in the pensions industry, presenting both significant risks and opportunities. As AI technologies like generative AI become more prevalent, they offer powerful tools for enhancing security measures but also introduce new vulnerabilities. The integration of AI in cyber security strategies should be considered in order to mitigate risks and safeguard member data in an increasingly digital landscape. Read our full blog post on the interaction of AI and cyber security in the context of pension schemes here.

7. The UK cyber security and resilience bill update

The UK Government announced that the new Cyber Security and Resilience Bill will be introduced to Parliament in 2025. This Bill aims to address the increasing cyber threats to UK businesses and public sector bodies by expanding the scope of the existing Network and Information Systems (NIS) Regulations 2018. Key updates expected in the Bill include:

1. Empowering Regulators: Expanding the powers of regulators, including potential cost recovery mechanisms to provide financial resources.
2. Supply Chain Cyber Management: Focusing on monitoring and managing the cybersecurity of supply chains, identified as an area of increasing vulnerability.
3. Incident Reporting: Increasing mandatory incident reporting to improve data collection on cyber incidents and enhance understanding of threats and impacts.

The Bill is part of a broader effort and big step towards strengthening the UK's cyber defences in light of recent high-profile cyber-attacks. Whilst not directly relevant to the pensions industry, trustees and stakeholders in the industry alike should keep an eye on the Bill as it progresses through parliament this year.

8. How trustees can ensure compliance

We appreciate that as a trustee, the obligations upon you in relation to cybersecurity – an area that very few have expertise on – can be overwhelming.

For this reason, we have produced a package of documents which will make your scheme ‘cyber-ready’. This package includes:

1. Cybersecurity policy: to ensure that your scheme has a policy that incorporates the requirements placed upon it by legislation and guidance (including the newly introduced Cyber Principles and General Code.
2. Best Practice framework: to assist trustees with building cyber resilience.
3. Hygiene document: which brings together the key documents, provides practical tips on compliance, and a central place for contact details.
4. Incident Response Plan: to minimise the impact of any cyber issues, and to, again, ensure compliance with the regulatory framework.

The package also includes a checklist, to make it as easy for you to possible to see and understand what needs to be done (and what you have achieved so far).

If you are interested in this package (which will be continually updated to ensure compliance with the recent regulatory changes) please contact Richard Pettit or Samantha Howell.

You may also find it useful to watch our webinar with speakers from TPR and Aon to address key cyber risk issues from a pensions perspective covering the TPR’s expectations, managing your suppliers and understanding your cyber risks. Watch the full webinar on demand here: Cyber Risk for Pension Schemes.

This article was written by Callum Duckmanton, Samantha Howell, and Anousha Al-Masud.