For most pension schemes, cyber risk is primarily managed by their providers, such as administrators, investment managers, actuaries. For those schemes, understanding third parties’ security controls and any subsequent cyber risks is essential. But the current practice of simply asking generic security questions is resulting in trustees having to take on a major project while potentially ending up no better informed of the risks.
Guidance
Paul McGlone, partner in Aon's retirement business, said: "Some of the guidance from the Regulator is quite detailed. But while it's helpful to have a well thought out scope of what you're looking for, trustees may find themselves having to assess encryption standards, penetration testing and countless policies and sub-policies. That isn't helpful.
“Trustees should not need to become cyber experts. But they do need a way of determining how much detail to go into - and when to stop. The approach needs to be proportionate to the risks and the size of the scheme."
Where schemes are running their own services, such as an in-house administration team or investment function, the risks can be quite different.
Data
Onno Janssen, CEO Aon Global Risk Consulting & Cyber Solutions EMEA, said: "Whether pension schemes are administered in-house, or through a mix of third parties, the responsibility for the security of the sensitive data remains with trustees. Therefore they should be able to describe how their scheme’s sensitive data is securely stored, processed, accessed, and shared. If internal functions or third party providers are unable to add detail to that, then it might be prudent to dig a little deeper and consider engaging the help of security experts.”
As well as assessing providers, trustees also need to be alive to the other aspects of cyber risk.
Cyber Risk
Paul McGlone said: Regulator has highlighted Incident Response Plans, and we fully support that. We are working with schemes to put these in place for themselves, as well as understanding those set up by their providers. Wider than this, we suggest trustees should be looking at insurance cover, as a typical trustee liability policy won't cover many of the costs arising from a cyber attack."
Onno Janssen said: “It’s crucial to have an overall framework to deal with cyber risk. That way issues such as insurance don't get forgotten. Aon has developed a six part cyber resilience framework that we use across all types of organisations. This framework allows us to deal with cyber threats in a robust fashion - from assessing and quantifying the risk, testing and improving controls, transferring the risk away from the balance sheet by having appropriate insurance, and finally responding to an event or incident. It ensures that in the rush to deal with the issue you don't miss out an important step."
Paul McGlone said: “Not the least risk are the trustees themselves. Even if providers have great controls, it only takes one trustee to be attacked for the whole system to be compromised. There are some simple steps that trustees can take, and Aon’s ‘Trustee Security Policy’ addresses this, allowing schemes to adapt and adopt for their own trustees, and enabling them to have a common set of standards among themselves."
|