Pension scheme cyber-attacks – are you prepared?

In the ever-evolving world of cyber risks, governing bodies, trustees and pension boards must understand their responsibilities and know how to effectively respond in the event of an attack.

The cyber threat to pension schemes specifically is increasing. Capita is reporting losses of an estimated £107m with a significant proportion attributed to the 2023 data breach. Share prices have plummeted 54% since the attack and reputational damage has impacted both Capita and the affected schemes. That’s without even mentioning the impact on individual scheme members and those dealing with the incident. 

For trustees and scheme managers, it’s negligent to assume that just because nothing has happened to your scheme yet, nothing will. Also, a lack of knowledge in how to prepare and respond to an incident is no defence. In this blog, we’ll outline why pension schemes may be targeted, the dangers of not being prepared, and how we can help you get your pension scheme ready to tackle the worst.

Why are pension schemes an attractive target for cyber criminals?

Cyber threats apply to all types and sizes of pension schemes and the consequences of an attack is equally damaging. There are several reasons why schemes are so attractive to cyber criminals: 

• Data: Schemes hold large amounts of personal data which is attractive to cyber criminals seeking to hold a scheme to ransom or selling the data on the dark web.
• Multiple points of access: Service providers and advisers, such as administrators, investment managers, and other advisors, are all involved in managing scheme activities, including having access to data. This means there are several potential access points to compromising scheme data, and defences are only as strong as the weakest link in the network. 
• Outdated: Schemes policies, plans and processes may be out of date in relation to cyber security and business continuity planning. Many trustees use their own electronic devices which may have less robust security measures. Also, there may be some misunderstanding of the trustees’ responsibilities when it comes to protecting their scheme from a cyber-attack.  
• Bad publicity: Sponsors or employers may have a valuable brand they want to protect from negative publicity and reputational damage, making them potentially more willing to follow the demands of the cyber criminals to keep their name out of the public eye. 

What are the risks of a pension scheme not being prepared for a cyber-attack?

Pension schemes are exposed to various information security risks, three of which we’ll cover briefly below. Being prepared with robust business continuity plans and response strategies will go a long way towards mitigating these risks.   

Cyber risk and loss of data

Schemes hold large amounts of confidential and personal data. The scheme itself or trustees may not be the target of a cyber-attack, but instead cyber criminals could target third-party service providers by encrypting data and / or disabling access to their systems, demanding a ransom in exchange for releasing the data. This loss of data could cripple the administration of the scheme, disrupting member payments, receipts of contributions or bereavement services. Also, significant costs could be incurred by the scheme to deal with the aftermath of the incident, as the scheme may come under greater scrutiny from regulators. 

Reputational damage

Scheme members and regulators may be able to accept a cyber-attack has happened, but they expect the scheme to be prepared and able to respond quickly and effectively. If the scheme is exposed as being unprepared for an attack, or shown to have acted poorly during the response, the reputational damage will be worse than if they can demonstrate they did everything they could both prior to, and during the attack.  

'Business-as-usual' incapacitated

If the cyber-attack is wide-reaching, it can bring a scheme of any size to its knees. In the immediate aftermath, schemes could face the real scenario of having to deal with responding to scheme members and the media, and potentially with reduced IT functionality (possibly compromised devices, insecure Wi-Fi, files deleted etc.). The long-term effects can be severe too – the longer the downtime of critical services, the higher the costs from regulatory fines and possible legal action. 

How can I improve my pension scheme's resilience?

Trustees and governing bodies have a challenging job to do in a complex regulatory environment, and due to the increased cyber threat landscape, it’s not surprising that the Pensions Regulator (TPR) has growing concerns, setting out clear expectations in relation to scheme continuity and its function in helping schemes prepare for a cyber incident. In the General Code, TPR sets out it’s position on scheme business continuity and cyber risk. It has also published separate principles on cyber risk to enhance the principles of the General Code.

In short, schemes and trustees must consider:

• Prioritisation: Prioritise identifying the critical activities or services required to be back up and running as soon as possible after a disruption, whether this is a cyber-attack or any other form of incident. These activities might include receiving and monitoring contributions, pensioner payments, retirement processing and bereavement services.
• Third-party factors: Understand how service providers and advisers fit into ensuring these activities continue following a disruption. This might involve seeking assurances on data protection and security, business continuity planning and testing, and communication channels during an incident. 
• Prior planning: Design a scheme continuity plan that considers your priorities and the assurances you have sought from advisers and service providers. You may choose to include your cyber incident response plan or create a separate strategy depending on the size, nature and complexity of your scheme. 
• Practice: Test the plan with your trustee / governing body incident response team against an agreed set of objectives. This essential step means you will be prepared and gain muscle memory on how to respond to an incident. This testing, also known as exercising, uses a severe yet plausible scenario as the basis for the response, such as a cyber-attack at an administrator. The lessons learnt from this exercise are invaluable in enhancing your response preparedness and the resilience of your scheme.  

Business continuity is more than producing a plan, or thinking you know what to do in the event of a cyber-attack. A pre-prepared response plan alone won’t enable you to effectively respond to an incident, as when it happens, emotions are high. The plan is used as a valuable tool to remind you of what needs to be done, when and by whom. 

At Barnett Waddingham, we believe the expectations set out in the General Code should be viewed as an opportunity for trustees and governing bodies to improve their approach to scheme continuity and provide assurance to its members, sponsors, and the regulators by demonstrating they go beyond mere compliance measures as they understand the consequences of an incident can be catastrophic. This is why we have developed our Business Continuity Management and Cyber Risk toolkits for Pension Schemes, guidance for creating or revitalising an effective business continuity plan and / or cyber incident response strategies that goes beyond compliance. 

What to do next

While you may have a scheme business continuity plan or cyber response plan, the threats in these areas will continue to change and so your plans must too. For those concerned that they may be lacking when it comes to being prepared for a cyber-attack, consider the following steps:

• Review your plans or seek guidance from experts on how you can enhance your response strategies to bring them into line with best practice. This can be a very practical and effective activity as you may not realise your areas of exposure. For example, in a cyber incident response, stating in your plan you will email members of the trustee incident response team at the outset of an incident is not only impractical, but potentially impossible.
• Review your assurances with service providers and advisers. Ensure your business continuity plans are aligned, especially in relation to communication channels and sharing information with members. The importance of communication during a cyber incident cannot be underestimated. Use external experts to help you assess the assurances if you are unsure how this alignment should work in practice. 
• Run an exercise to test your plan and team. This can be a quick, easy and practical way to understand what you do well and where your plans and strategies need to be improved, particularly in relation to a cyber incident. In just two hours, you can have trained your incident response teams on the practical aspects of an incident response and when using external experts, you will have a report outlining the recommendations on how to best improve your plans and strategies. 

Barnett Waddingham is able to assist in ensuring your plans, teams and strategies are practical and fit for purpose. Register to our BW Risk Portal to gain access to both our Business Continuity Management and Cyber Risk toolkits, which provide practical guidance on how to establish basic business continuity response strategies and plans, and how to respond to a cyber incident. 

Get in touch with your usual BW contact, or email karla.gahan@barnett-waddingham.co.uk to hear more about how we can help overhaul your business continuity management planning.