Pension schemes are attractive targets to cybercriminals due to the significant amount of assets and personally identifiable information (PII) of their members they hold. Coupled with the imperative to pay member’s benefits on time, this makes them particularly vulnerable to extortion via ransomware attacks.
To help fight back the Pensions Regulator (TPR) launched new guidance on Monday 11 December 2023 for pension scheme trustees and scheme managers. It will help them to meet their duties to assess cyber risk, ensure appropriate cyber controls are in place and respond effectively in the event of a cyber incident. The guidance will therefore also be of interest to pension scheme suppliers and advisors, with the former being required to deliver on many aspects of the guidance.
The guidance covers a range of topics and practical steps that are integral to help build cyber resilience and meet the expectations set out in the draft General Code of Practice. These include:
In addition to reiterating valuable advice to meet the expectations of the draft General Code, TPR is now asking schemes, their advisers and providers, to report significant cyber incidents to it on a voluntary basis, in an open and cooperative way, as soon as reasonably practicable.
A significant cyber incident is likely to result in:
This follows the action taken by TPR earlier in 2023 when it wrote to trustees whose schemes were impacted by the cyber attack on Capita, reminding them of their existing legal reporting responsibilities and asking to be kept up to date as the cyber investigation progressed.
Louise Davey, Interim Director of Regulatory Policy, Analysis and Advice at TPR commented on the guidance:
“Cyber risk is complex, evolving and requires a dynamic response. It’s a very real threat as we have seen from events this year.
"We want industry to work openly and collaboratively together, and with us, to address the challenges of cyber threats and have a clear plan for when things go wrong. Doing so will make us all more resilient to attacks.
"As part of this, we want to hear about cyber-related incidents so our understanding of issues improves in real time.”
The guidance will help many to understand what activities they need to do now, and in the future, to respond to the complex and rapidly evolving threat. However, trustees should continue to review whether they have access to genuinely specialist advice concerning how to properly protect their pension schemes and meet the expectations of the General Code.
The Forensic Services team at Crowe are specialists in this area and work with a range of schemes to understand and meet the requirements of TPR. Please contact Tim Robinson if you would like to discuss the new guidance and how it impacts your scheme.
Insights