Cybersecurity In Pensions: Breaking Down The Regulatory Guidance

Posted by

In this episode of our Sense of Identity podcast, we sit down with Sam Howell, Senior Associate at Burges Salmon, to discuss the increasingly vital role of cybersecurity in the pensions sector. With a significant rise in cyber threats targeting pension schemes, it's crucial to understand how to safeguard member data and comply with regulatory guidance.

📹 Watch the video on YouTube

You can subscribe to our Sense Of Identity audio podcast series on your podcasting platform of choice using the links on our Spotify page.

Sam brings her extensive expertise in pensions industry cybersecurity to shed light on the evolving landscape of risk and regulation, and shares practical advice for trustees and administrators.

Key Takeaways

Regulatory Changes: Recent updates from the Pensions Regulator emphasise a shift from best practices to mandatory compliance for cybersecurity measures in pension schemes.
Essential Steps for Cyber Resilience: Implementing a cybersecurity policy, an incident response plan, and regular training are crucial for pension schemes to mitigate cyber risks.
Proportionality in Cybersecurity: Smaller pension schemes can achieve substantial cyber resilience with sensible and proportionate measures, tailored to their specific needs and resources.

Interview Summary

Q: Sam, can you start with an introduction to yourself and your role at Burges Salmon?

A: Absolutely. It's great to be here. I’m a Senior Associate at Burges Salmon, specialising in pensions law.

Our firm boasts one of the largest pensions teams in the UK, advising a diverse range of clients including private and public sectors.

Personally, I focus on cybersecurity for pension schemes, working closely with our data protection and dispute resolution teams to provide comprehensive advice on cyber resilience.

Q: Why is cybersecurity particularly crucial for the pensions industry?

A: Cybersecurity is critical across all sectors, but it has become especially urgent in pensions due to the vast amounts of sensitive data and assets managed.

In the past 18 months, there has been a staggering 4,000% increase in reported cybersecurity breaches in UK pension schemes.

This uptick highlights how cybercriminals are increasingly targeting the pensions industry.

Q: How has the Pensions Regulator responded to the rise in cyber threats?

A: The Pensions Regulator has updated its guidance, shifting from suggesting best practices to mandating cybersecurity measures.

The new general code, which came into force in March 2024, outlines specific obligations for trustees, emphasising that schemes must prepare for cyber incidents rather than if they might occur.

Q: What practical steps should trustees take to enhance cybersecurity?

A: Trustees should start with five fundamental steps: establish a cybersecurity policy, create an incident response plan, ensure key contact details are accessible during incidents, document all cybersecurity actions for ongoing assessment, and provide regular cybersecurity training.

These steps form the backbone of a robust cyber resilience strategy.

Q: Can smaller pension schemes achieve effective cybersecurity with limited resources?

A: Absolutely. Proportionality is key. Smaller schemes can take manageable and cost-effective steps to build significant cyber resilience.

At Burges Salmon, we've developed a cybersecurity package that includes templates and training designed to meet these minimum requirements, making it easier for schemes to achieve compliance and protect their members.

Q: What additional measures can schemes take beyond the minimum requirements?

A: Beyond the basics, schemes should consider in-depth activities such as data and asset mapping, regular reviews of third-party contracts for cyber provisions, and advanced training like war games to simulate and prepare for cyber incidents.

These steps help in continuously enhancing a scheme's ability to respond to evolving cyber threats.

Q: How should trustees handle member communications following a cyber incident?

A: Timely and transparent communication with members is crucial. Trustees need to balance informing members quickly while ensuring the information is accurate and actionable.

Planning for these scenarios in advance, including having alternative communication channels ready, can make a significant difference.

Sam's expertise underscores the importance of a proactive and comprehensive approach to cybersecurity in pensions. Her insights are invaluable for trustees and administrators aiming to navigate the complex and rapidly evolving landscape of cyber threats.