The trustees’ role
As trustees are accountable for the security of scheme information and assets (even though others handle data and manage technology on their behalf), they must:
- Understand their scheme’s cyber risk.
- Make sure that those handling data or managing technology on their behalf have controls in place to reduce the risk of cyber incidents occurring and their impact.
- Manage cyber incidents that arise
Regularly reviewing and keeping records of their assessment of cyber risk, controls and response plans, as well as ensuring they have access to cyber risk expertise, are just some of the steps that TPR expects trustees to take.
More widely, trustees need to ensure that the scheme’s cyber risk is appropriately managed by other parties, including suppliers, and it is an area that needs to be actively considered by trustees when selecting suppliers. Processes should include reporting and monitoring the arrangements in place.
Assessing and understanding the scheme’s cyber risk
Cyber risk should be assessed and included in the scheme’s risk register. This involves understanding:
- The scheme’s cyber footprint i.e. the digital presence of all parties involved in the scheme.
- The scheme’s critical functions and the systems and assets needed to deliver these.
- Who holds what data, and how and where it flows.
- The value to criminals from data theft or corruption, or the interruption of critical services to members.
- The type and potential severity of incidents to which the scheme is vulnerable.
- The potential impact of a cyber incident on members, the scheme, and where appropriate, the sponsoring employer.
Ensuring cyber controls are in place
Trustees should check that those handling data or managing systems on the trustees’ behalf have controls in place to:
- Reduce the likelihood and impact of a cyber incident.
- Detect cyber incidents.
- Respond effectively.
Responding to cyber incidents
A plan setting out how to respond to a cyber incident should be in place and be regularly maintained. Trustees need to check they have sufficient capability to investigate a cyber incident and any incidents should be documented. Major cyber incidents should be followed up with a post-incident review with the scheme’s response plan being updated in light of the lessons learned as appropriate. Post-incident monitoring may also be necessary in some cases.
Members should be notified of any cyber incidents and kept up to date while investigations progress. Trustees should direct members to relevant information to help protect them from the effects of a data breach and they could offer support services.
Reporting a cyber incident
TPR is asking trustees and their advisers and providers to report significant cyber incidents to it on a voluntary basis as soon as reasonably practicable. The full investigation into the incident does not need to have been completed before the report is made. A significant cyber incident is one that is likely to result in:
- A significant loss of member data.
- Major disruption to member services.
- A negative impact on a number of other schemes or pension service providers.
Reporting to TPR does not replace trustees’ existing legal reporting requirements which include reporting to the Information Commissioner’s Office (ICO).
How can we help you?
While many trustees may already have cyber security structures in place for their schemes, it will be important to check through TPR’s updated guidance and consider what other steps would be appropriate. Mayer Brown can assist you in the following ways:
Reviewing cyber security arrangements. We can review the structures you have in place, including your cyber security and data protection policies, your incident response plans, and security or data protection arrangements with third party providers.
Responding to breaches. We can draft, or review, your responses to cyber security breaches, including assessing your reporting requirements. In particular, we can draft or review your communications to the ICO, TPR, other regulators and any affected individuals.
Training. We can support you by running a cyber security session which covers TPR’s guidance, and the steps TPR expects trustees to take, to ensure compliance. Cyber security is a fast-developing area and, as recent events show, it is moving closer into the pensions sphere. Therefore keeping up to date with cyber security developments will be important in helping to ensure you have resilient structures in place.