The new report was compiled from the individual assessments of over 100 pension schemes, ranging in size from under £10 million to over £10 billion. It includes greater representation of large schemes (40% had assets of more than £1 billion), which reflects how larger schemes have responded more quickly to dealing with the issue of cyber threats - but also to completing an assessment of their approach.
Paul McGlone, partner at Aon, said: “We launched the Aon Pension Cyber Scorecard as a tool for UK trust-based pension schemes to assess their cyber resilience across a range of areas, and as a means of comparison with other schemes.
More than 100 UK schemes have now used the scorecard, so we have a detailed view of the state of preparedness across the industry – and it is a mixed picture.
“We can see that some schemes have strong governance across all areas, while others are only starting their cyber journey.
However, the scorecard also provides a road map for how a scheme can take its cyber controls from novice to proficient in relatively short order.”
Vanessa Jaeger, principal consultant at Aon, said: “In many respects, it’s encouraging that the position across the industry is changing quickly. The very nature of cyber risk means that it is an evolving area in which even the biggest, best resourced, best prepared schemes can’t think ‘job done’ and relax. This is an area that requires periodic assessment to stay on top of the latest challenges.”
Key findings
• Around three in five schemes have a cyber strategy
• 75% of trustees have training on cyber risks. But fewer than one in five schemes have clearly documented cyber hygiene policies.
• Trustee portals are by far the most common way of sharing information (70%) and data (86%).
• Assessment of cyber controls at administrators is extensive, with almost 90% of schemes conducting checks.
• The majority of schemes do not use specialist expertise to assess the cyber checks of providers such as administrators.
• Over 90% of schemes have a data breach policy, but over a third of schemes still send investment instructions in unencrypted emails.
• Only two in five schemes have a robust incident response plan, despite guidance from the Pensions Regulator that schemes should have one in place.
• Over 60% of schemes have not assessed the potential financial impact of a cyber attack.
• Only 2% of schemes have a cyber insurance policy.
Paul McGlone said: “Responses in our assessments did vary somewhat by size, with larger schemes performing better on average. However, we concluded that size was not the key determining factor of cyber resilience. Rather, it is what the market calls ‘cyber maturity’, with trustee awareness of the issue being a key factor in driving action and maintaining watchfulness.
“Schemes that have identified and understood the issues and then taken steps to address them, come out of the Scorecard assessment well. Schemes that have not yet engaged with the issues, do not. On the plus side, we believe that many improvements can be made swiftly.”
Vanessa Jaeger said: "As well as being of interest to trustees, the potential impact of cyber risk on pension schemes should be of definite interest to sponsors, who ultimately pick up the cost of any incident as well as reputational impact. Any sponsor that doesn't know how their scheme is managing cyber risk should be asking that question."
‘Cyber Threats to Corporate Pension Schemes’
|