Pensions - Articles - New cyber guidance a good start but pensions need to do more


Aon has welcomed new guidance from the Pensions Regulator on how pension schemes can deal with cyber risk. However, Aon is also cautioning that trustees need to think carefully about how it might be implemented in practice and what represents the best approach for their own scheme.

 For most pension schemes, cyber risk is primarily managed by their providers, such as administrators, investment managers, actuaries. For those schemes, understanding third parties’ security controls and any subsequent cyber risks is essential. But the current practice of simply asking generic security questions is resulting in trustees having to take on a major project while potentially ending up no better informed of the risks.
  
 Guidance
 Paul McGlone, partner in Aon's retirement business, said: "Some of the guidance from the Regulator is quite detailed. But while it's helpful to have a well thought out scope of what you're looking for, trustees may find themselves having to assess encryption standards, penetration testing and countless policies and sub-policies. That isn't helpful.
  
 “Trustees should not need to become cyber experts. But they do need a way of determining how much detail to go into - and when to stop. The approach needs to be proportionate to the risks and the size of the scheme."
  
 Where schemes are running their own services, such as an in-house administration team or investment function, the risks can be quite different.
  
 Data
 Onno Janssen, CEO Aon Global Risk Consulting & Cyber Solutions EMEA, said: "Whether pension schemes are administered in-house, or through a mix of third parties, the responsibility for the security of the sensitive data remains with trustees. Therefore they should be able to describe how their scheme’s sensitive data is securely stored, processed, accessed, and shared. If internal functions or third party providers are unable to add detail to that, then it might be prudent to dig a little deeper and consider engaging the help of security experts.”
  
 As well as assessing providers, trustees also need to be alive to the other aspects of cyber risk.
  
 Cyber Risk
 Paul McGlone said: Regulator has highlighted Incident Response Plans, and we fully support that. We are working with schemes to put these in place for themselves, as well as understanding those set up by their providers. Wider than this, we suggest trustees should be looking at insurance cover, as a typical trustee liability policy won't cover many of the costs arising from a cyber attack."
  
 Onno Janssen said: “It’s crucial to have an overall framework to deal with cyber risk. That way issues such as insurance don't get forgotten. Aon has developed a six part cyber resilience framework that we use across all types of organisations. This framework allows us to deal with cyber threats in a robust fashion - from assessing and quantifying the risk, testing and improving controls, transferring the risk away from the balance sheet by having appropriate insurance, and finally responding to an event or incident. It ensures that in the rush to deal with the issue you don't miss out an important step."
  
 Paul McGlone said: “Not the least risk are the trustees themselves. Even if providers have great controls, it only takes one trustee to be attacked for the whole system to be compromised. There are some simple steps that trustees can take, and Aon’s ‘Trustee Security Policy’ addresses this, allowing schemes to adapt and adopt for their own trustees, and enabling them to have a common set of standards among themselves."
   

Back to Index


Similar News to this Story

Wish list for the occupational pensions industry in 2025
As one year closes and another begins, it's an opportune moment to set our sights on the future. The UK occupational pensions industry faces nume
PSIG announces outcome of Consultation
The Pensions Scams Industry Group (PSIG), which was established in 2014 to help protect pension scheme members from scams, today announced the feedbac
Transfer values fell to a 12 month low during November
XPS Group’s Transfer Value Index reached a 12-month low, dropping to £151,000 during November 2024 before then recovering to its previous month-end po

Site Search

Exact   Any  

Latest Actuarial Jobs

Actuarial Login

Email
Password
 Jobseeker    Client
Reminder Logon

APA Sponsors

Actuarial Jobs & News Feeds

Jobs RSS News RSS

WikiActuary

Be the first to contribute to our definitive actuarial reference forum. Built by actuaries for actuaries.