Thinking “when” rather than “if” about cyber risk

A shift in mindset for pension scheme trustees

You won’t regret time spent planning for a cyber incident that doesn’t happen, but you will regret not being prepared when one occurs.

The pensions industry has had its share of unexpected events in recent years. In my experience, trustees and the industry supporting them have always risen to these challenges. That’s not to say we shouldn’t reflect on lessons learned and continue improving the resilience of pension schemes.

In the last 18 months, cyber risk has been high on trustee agendas, with a number of high-profile incidents making front-page news. This is reflected in LCP’s 2024 Chart your own course report. When asked to rank systemic risks, respondents identified “cyber and the risk posed by AI” as the risk that worries them most. When asked to rate how much they worry about cyber risk on a scale of one to ten, well over half rated this worry as 7 or higher.  

At LCP, we have been helping our clients get to grips with cyber risk, including to consider The Pensions Regulator’s recently updated cyber security principles for pension schemes. Our starting point is that trustees should think “when” not “if”.

Here are my three suggestions for considering cyber risk. These are intended to help improve your scheme’s resilience to unexpected events.

Use our cyber security checklist to see how your scheme compares to the Regulator’s expectations

In our survey we also asked respondents what concerned them most about cyber risk. Not unexpectedly nearly half identified data or system breaches as their biggest concern. However, the ever-evolving nature of cyber risk and uncertainty of the unknown also ranked very highly. Cyber risk is less visible than some other risks, such as insufficient assets or unhedged liabilities. We often hear that it can be difficult to know where to begin.

We have prepared a checklist based on The Pensions Regulator’s expectations which provides a starting point for trustees. The responses gathered can be used to draft a cyber security policy and/or to identify areas for improvement or further focus. There is no one-size-fits-all solution, and we find that different schemes have different areas of concern. Can the sponsor help you with your consideration?

Think of the members’ perspective

We have seen in recent incidents that there can be reputational risks associated with cyber incidents. This is not just in relation to the loss of members’ data but the way that an incident is handled can also lead to reputational damage. Members can (and will) take to social media if they are unhappy. This can lead to further press coverage and negative publicity. In its regulatory intervention report following the Capita cyber incident, the Regulator highlighted the potential communication challenges for trustees. It’s important to recognise that when an incident occurs you might need to contact your members before investigations are concluded if there is a reasonable chance their data is at risk. Are you geared up to communicate with members quickly?

In our personal lives we often receive suspicious emails and cold calls. It’s noticeable that these are getting more sophisticated, not least because the use of AI is making it easier for criminals to draft convincing scams. Those of us that are office based will be familiar with tests and briefings on these risks. Some pension scheme members may not be so familiar, particularly if they have been retired for some time. We frequently warn members about pension scams, why not include reminders and warnings around cybercrime in your next newsletter?

Test your incident response

A scenario-planning workshop (or wargame) is a valuable opportunity to consider, in a safe space, how you would react in the event of an incident. It can be used to test an existing incident response plan, or with a blank sheet of paper. It’s not just the subject that is important but also the opportunity to develop roles and responsibilities and to consider which advisers, experts and other parties you might need to contact and involve in the event of a crisis. It’s important to explore when trustees may need to take action without having the full facts available. These sessions also provide a fantastic opportunity to observe board effectiveness through a group exercise. In every session we have run over the last 12 months there have been lessons learned and improvements made that will prove invaluable when a cyber incident occurs in the future.

Further thoughts

Consideration of cyber risk goes beyond the specific cyber controls module of the General Code and the Regulator’s related guidance. It should be considered in the wider context of a scheme’s Effective System of Governance (ESOG) in areas such as risk management, review and selection of advisers and when considering the maintenance of any key IT systems, including any that are provided by suppliers. You can read our guide to the ESOG here.

We believe scenario planning could and should be used to practise crisis-management responses more widely than cyber risk. Trustees stress test funding levels and hedging strategies frequently, so why not stress test resilience to other scheme-specific risks such as the impact of employer insolvency or issues arising late in a buy-in/out transaction?

If you would like to discuss cyber risk, crisis response or any other governance matters mentioned in this article please do get in touch with Peter Shaw.