The Pensions Regulator (TPR) has updated its guidance for trustees on cyber security.
What is cyber risk?
TPR defines cyber risk as the risk of loss, disruption, or damage to a scheme – or its members – associated with using information technology. It includes risks to information (data security) arising both internally (for example, from staff) and externally (for example, from hacking).
Trustees’ rôle
Most trustees are likely to delegate the day-to-day administration of their scheme to a third party. However, the trustees retain overall responsibility for these activities, including making sure that appropriate cyber security measures are in place. TPR stresses the importance of ensuring that trustees:
- understand their scheme’s cyber risk,
- ensure that the scheme’s administrators have controls in place to reduce the risk and impact of incidents occurring and
- manage any incidents that arise.
TPR expects trustees to review their assessment of risk, controls and response plans at least annually and to keep their relevant skills and expertise up-to-date. The guidance includes a list of the things that trustees should understand, to help them assess cyber risk and account for it in their risk register.
Trustees should also seek assurance from their administrators that adequate controls are in place (such as Cyber Essentials, Cyber Essentials Plus, or ISO 27001).
Ensuring controls are in place
Controls should cover people, processes and technology and be proportionate to the scheme’s cyber risk. The smallest and lowest-risk schemes and suppliers should at least consider having controls as set out in NCSC’s small business guide: cyber security.
Trustees should ensure that controls are in place to cover:
- trustee training,
- data security and
- technical controls around systems that process data.
TPR expects software to be kept up-to-date and systems and network vulnerabilities to be tested and managed.
Responding to, and reporting, incidents
Trustees should design, document and maintain a plan which sets out how to respond to a cyber incident, as well as ensuring that there are controls in place for detecting cyber incidents early when they happen. They should consider the response plans of third-party suppliers and ensure that they cover the services provided to the scheme.
In particular, trustees should consider how their scheme’s key services – such as pensioner payments, retirement processing and bereavement services – are affected, and the timeframe for bringing these back online.
In the event of an incident, TPR expects trustees to communicate with members promptly, even though all the relevant information is unlikely to be known initially. In a similar vein, TPR asks schemes, and their providers, to report significant cyber incidents to TPR on a voluntary basis, as soon as reasonably practicable, at report@tpr.gov.uk. It is not necessary to conduct the full incident investigation before reporting to TPR.
Notwithstanding this, trustees should be aware of their legal duties, for example to report a personal data breach to the ICO without undue delay (if it meets the threshold for reporting) and within 72 hours. In certain circumstances, it will also be appropriate to report to the National Cyber Security Centre (NCSC) or Action Fraud.
TPR’s full guidance may be read here.