In March 2021, the Pensions Regulator ('TPR') issued a consultation on its new combined code of practice. Currently in draft form, the proposed code of practice includes a new 'cyber controls' module. The consultation closed on 26 May and TPR published its interim response on 24 August, in which it stated that it was going to carry out a full review of the comments received on each of the modules. TPR does not expect to lay the new Code before Parliament until spring 2022 at the earliest, meaning that it is unlikely to become effective before summer 2022. However, the cyber control module was not one mentioned by TPR as having raised widespread concern so whilst further changes may be made to the module before next summer, understanding the changes currently proposed will ensure you have a good start start on identifying and making any required changes. This briefing considers (1) TPR’s proposed changes as they relate to cyber risk; and (2) what other cyber security measures we would have liked to have seen in the new combined code.
Who should read this update?
Cyber risk is a key risk for all those managing and administering pension schemes. As such, this update is of relevance to trustees or managers of all occupational pension schemes, managers of personal pension schemes and the scheme managers and/or pension board of public service schemes regulated by TPR.
Cyber Controls Module – why do we need it?
Prior to the new Cyber Controls Module (the 'Module'), the last time TPR issued specific guidance on cyber security was in April 2018 (the 'Cyber Security Principles'). Whilst these principles are a useful guide for pension schemes in terms of their approach to cyber risk, cybercrime and responses to it have come some way since 2018.
If you attended our webinar in March this year, you will be aware of the size of the problem: fraud and cybercrime now account for over 50per cent of all crimes in the UK. In addition, today's cybercriminals are no amateurs: they are sophisticated corporates, running large-scale operations that are often linked to organised crime groups. They are also able to change tack quickly, making it challenging for pension schemes to keep apace with the latest techniques.
And so, whilst the Cyber Security Principles are useful, guidance alone is no longer strong enough to protect pension schemes against the ever-evolving risk of cybercrime. Expectations around cyber security standards clearly needed to be codified. The Regulator’s Codes of Practice are not statements of the law, but they do set out expected standards that are consistent with how a well-run pension scheme would choose to meet its legal obligations. Any alternative approach to that appearing in the Code of Practice would need to meet the underlying legal requirements, and a penalty may be imposed if these requirements are not met. By embedding the expectations for trustees and scheme managers in relation to cyber security in its new draft code, TPR is elevating the status of these expectations. This is a welcome change and indicates the importance of cyber security in the pensions industry today.
TPR additionally published its Corporate Plan 2021-2024 and Corporate Strategy earlier this year. We were pleased to see reference to an 'increased focus' on cyber security, although it is notable that this will not be a focus until years 2 and 3 of the Corporate Plan and there is not yet much detail available.
Cyber Controls Module – the overall effect
Overall, the Module does not introduce anything radically different to the Principles that came before it. It does, however, slightly shift the emphasis to reducing and mitigating risk. This follows recent comments from TPR that it is no longer a case of 'if' a cyber attack occurs, but 'when'. Instead of solely seeking to prevent a cyber attack, then, trustees and scheme managers should focus on taking preparatory steps to ensure that the scheme is adequately prepared for when a cyber attack does take place.
The Module also places greater importance on seeking specialist advice and obtaining regular information on cyber risk and incidents from staff and service providers.
Cyber Controls Module v the Cyber Security Principles – key differences
A key point to note is that the Module is significantly less detailed than the 2018 Principles. It is currently not clear how the Principles and the Module will link – both in the future and at present. Currently, the web-based version of the Module contains a link to the Principles and so we presume that, at least for the time being, the Module and Principles are to be taken together when assessing a scheme’s approach to cyber risk. We await further clarification on the status and development of the Principles from TPR.
As already mentioned, the Module does not introduce anything radical. However, there are a number of subtle differences between it and the 2018 Principles, which we have outlined below:
Difference
|
Cyber Security Principles
|
Cyber Controls Module
|
Comment
|
1. Shift in emphasis
|
'Trustees and scheme managers need to take steps to protect their members and assets against the cyber risk'
|
'Governing bodies should take steps to reduce the risk of incidents occurring, and appropriately manage any incidents that arise'
|
Emphasis shifted from protecting against cyber risk to seeking to reduce the risk and mitigate any impact.
The approach should be focussed on instilling cyber resilience within the scheme and ensuring that your scheme is prepared for when an attack takes place. Preparing an incident response plan is a useful process.
|
2. Simulations and testing
|
'Controls, processes and response plans should be regularly tested and reviewed'
|
'Assess, at appropriate intervals, the vulnerability to a cyber incident of the scheme’s key functions, systems and assets (including data assets) and the vulnerability of service providers involved in the running of the scheme.'
|
The new requirement to test the scheme’s functions at appropriate intervals is more detailed and there is an emphasis on understanding the scheme’s ‘vulnerabilities.’
We recommend schemes consider running a cyber security simulation to test the effectiveness of the incident response plan.
|
3. Specialists
|
'In some cases you may want or need to have the effectiveness of your cyber risk management independently assessed…'
|
'consider accessing specialist skills and expertise to understand and manage the risk'
|
There is now a requirement to consider taking specialist advice in all cases.
|
4. System updates
|
N/A
|
'Ensure appropriate system controls are in place and are up to date (eg firewalls, anti-virus and anti-malware products).'
|
There is now an express requirement to ensure that system controls are updated, and specific controls to watch out for have been named.
|
5. Regular reporting from staff and service providers
|
'you should be regularly updated on cyber risks, incidents and controls'
|
'Receive regular reports from staff and service providers on cyber risks and incidents.'
|
Additional detail on who should be reporting formalises the approach and promotes good habits in monitoring cyber risk.
|
6. Monitoring
|
'[Ensure that] your controls, processes and response plans are regularly tested and reviewed'
|
'Take action so that policies and controls remain effective'
|
More emphasis on ensuring that the outcome is that processes are as effective as possible at all times.
We recommend schemes maintain a cyber security ‘check list’ with agreed timeframes for reviewing specific processes and procedures.
|
What else would we have liked to have seen in the cyber controls module?
Whilst the draft Module is a welcome addition to the guidance that we have to date on cyber risk in the pensions sphere, we note a number of areas that could have been expanded in the Module; namely:
1 – standards for third parties
We would like to have seen further provisions relating to the standards required from third parties providers (including administrators and fund managers, etc).
The Principles require suppliers to have, or adhere to, 'cyber security standards or good practice guides' and states that their performance must be monitored. The Module requires that trustees 'satisfy themselves with service providers’ controls.' However, there is very little that explains what standards schemes should expect of their third party providers.
In November 2020, the Pensions Administration Standards Association (“PASA”) issued cybercrime guidance for pension administrators, which included how administrators might meet the relevant legal and regulatory standards. In our view, further guidance on standards for all party providers is needed – and better still, such guidance should also be incorporated into a code of practice to demonstrate the importance of these standards in protecting pension schemes against cyber risk. In future, we expect to see as market standard a contractual obligation on providers to adhere to relevant standards.
2 – specialist advice
We were pleased to see that the Module introduces a requirement for schemes to at least 'consider' taking specialist advice. However, we would like to have seen TPR go further and require schemes to take specialist advice (whether internal or external) in this area given its technical nature and the increasing number of cyber incidents that are occurring.
3 – proportionality
Whilst care must be taken to ensure it is clear that all schemes are required to take the necessary steps to reduce cyber risk, this is going to look slightly different depending on the scheme. In practice, we have seen a number of clients uncertain over the particular approach that they should be taking.
The Principles state that the principles can be adopted proportionately to the profile of a given scheme, but does not give any further detail on this. The Module is also silent on this point. Whilst it is understood that it is not possible to be prescriptive on this, we would have expected to see some detail on how, for example, smaller schemes might tailor their cyber security strategy compared with TPR’s expectations of larger schemes.
4 – cyber risk insurance
Insurance for cyber risk is only fleetingly mentioned in both the Principles and the Module. In our view, it would be helpful if the Module included more guidance, including encouraging schemes to check that any existing cover actually meets their expectations and requirements, as in practice this is not always the case.
If you think your scheme already has insurance in place, we recommend checking what is actually covered under the policy.
Takeaways for trustees and pension scheme managers
To ensure that you have made a good start on meeting the requirements of the new Cyber Security Module, trustees and scheme managers should consider:
- Prepare an incident response plan
- Run a cyber security simulation to test the effectiveness of the incident response plan;
- Take specialist advice;
- Ensure that system controls are updated;
- Ensure that there is clarity on who should be reporting incidents, and how;
- Maintain a cyber security ‘check list’ with agreed timeframes for reviewing specific processes and procedures;
- Review contracts with third parties to assess their cyber security standards; and
- Review scheme insurance arrangements to check the extent of any cyber cover.
We are well placed to advise on cyber security and data protection queries in relation to pension schemes of all sizes. If you would like to explore this topic further, please contact Alice Honeywill, Susannah Young, Crispin Freeman, Isabella Bentley or your usual member of our pensions team.