Cyber risk: It’s not ‘if’ it’s ‘when’

6 Oct 2023

It’s unlikely to happen… isn’t it?

The Government’s cyber security breaches survey 2023 tells us that cyber security breaches and attacks remain a common threat, with larger businesses identifying the most breaches and attacks. Pension schemes hold vast quantities of data and are attractive to hackers. With many pension schemes’ data held by a relatively small number of medium to large firms, the likelihood of something occurring seems increasingly high.

A 4,000% increase in data breaches reported by pension schemes to the Information Commissioner’s Office (ICO) in the year to June 2023 (from RPC’s research) suggests we’re more aware about data, the importance of its security and where to report it when data security is jeopardised.

What happens when it does?

If you have identified that you have a breach, once the hackers are in, can’t you just close the door and shut the hack down?

With a ‘threat actor’ in the system, it’s difficult to know how much damage they are doing, how much data has been exfiltrated, if they are still lurking in servers waiting to wreak even greater havoc. Closing the door too soon might lead to a complete system shut down.

There’s a need to understand the nature and extent of the hack, the potential contagion, if data has been extracted, what sort of data it is and to whom it belongs. This will require specialist cyber, forensic and legal support.

That support cost Progress Software $602,000 for a cyber incident in 2022. Capita warn that the financial hit from the Black Basta attack will be up to £20m. The impact isn’t just financial though, its operational, reputational and can be damaging to trust.

Knowing what’s going on

For all those involved communication is key. However, it’s difficult to communicate when you don’t know the extent of what’s happened yourself. Understanding that might take the involvement of forensic specialists, round the clock investigation and data checking across 100s of servers.

It’s also challenging to communicate effectively in a crisis situation, especially when concerned parties are being guided to your door for answers you don’t yet have.

No one has a crystal ball to foresee what sort of cyber attack might happen or how it will play out, but being prepared for when it does, puts you on the front foot, particularly in terms of communications. Even if it’s just a holding letter, arguably not being left in the dark is better for salvaging what will inevitably be a damaged relationship.

Are we prepared?

Gone phishing

The Government’s cyber security breaches survey 2023 states that the most common cyber threats are relatively unsophisticated. Most cyber crimes and breaches are a result of phishing attacks (89%).

It might seem obvious, but we all need to be regularly reminded not to click on links in emails unless we’re certain of their origin. 95% of cyber breaches involve a human element.

Taking action

Nevertheless, the easiest cyber hygiene processes to implement are things like:

  • ensuring passwords are complex, not shared with others, and changed regularly,
  • not using personal email addresses for trustee work,
  • updating your malware protection, cloud back-ups, and
  • using restricted admin rights, and network firewalls.

IT/ cyber protocols or policies need to be kept up-to-date and relevant. They need to be adhered to and that adherence evidenced.

Business continuity

Penetration testing and checking that back-ups are in place are features of good business continuity, but if someone clicks on a link and ‘invites’ the hacker in, all the penetration tests and back-ups you may have are of little use. It is therefore important that all data held is encrypted and held securely.

Trustees are concerned about having back-up payroll files in case pensions can’t be paid due to a cyber attack. A word of caution - if moving securely held data, you must be sure that the transfer process and your own back-up process is water tight, otherwise you might unintentionally be presenting the data to hackers in a beautifully wrapped package.

Cyber risk

Cyber crime also facilitates other offences, e.g. fraud, so trustees will want to understand the various threats and consequences from a cyber attack.

Ideally trustees should fully understand the vulnerabilities in the processes and systems they have in place and implement strong enough controls to manage risks specific to their scheme. These might relate to data (how it’s held and transferred), or physical assets (how they are moved within financial transactions). Mapping your data and financial asset flows helps you see the different interactions and where points of weakness might be.

Given how challenging it is to a prevent cyber attack, schemes should want to be as prepared and well-equipped as possible to respond to an attack, recover from it and be resilient in its aftermath.

Incident response

Having an Incident Response Plan (IRP), which makes clear who has what role and responsibilities in specific circumstances, is required by the draft General Code, but we’re seeing schemes being proactive about implementing these on the back of recent incidents. An IRP can cover data breaches and any other material event that might affect scheme operations.

An IRP can have its limitations though. Scenario testing provides the best way of understanding if all the dots actually join up in practice, particularly on who communicates what to whom. You can have the best plan on paper but if your third party didn’t know they were supposed to report an incident to you within 24 hours then it will fall down.

Managing supplier risk

Pensions is a heavily outsourced industry so oversight is key. Outsourcing does not absolve trustees of their responsibilities for data and asset security.

Trustees need to ask the right questions of their providers. Many trustees didn’t know that their outsourced administrators were using software like MOVEit to transfer payroll files.

GDPR requires data processing to be recorded and data mapping to be carried out, with data processor/ sub-processor contractual relationships being clear. It also requires the data controller (the trustee) to approve the usage of any sub-processors. How many schemes have done this since GDPR came into force, or even can when providers use so many different sub-contractors that are potentially changing as technology evolves?

Those sub-contractors may also be sub-contracting to others. Even where there is no contractual right for the trustees to intervene, they should be proactively told about any changes, rather than just rely on a sentence in their contract that says that any sub-contracting will be the responsibility of their appointed administrator.

The supply chain is only as strong as its weakest link. Lack of understanding and oversight exposes trustees. If the right questions aren’t being asked and outsourced providers aren’t being actively managed, it’s unlikely the right controls are in place to manage cyber risks, which might mean you’re exposed.

So what happens now?

How can we, as an industry, improve things for ourselves and each other? We probably all know of schemes and members affected by recent events. Wouldn’t it be good to pool the knowledge and lessons learned coming from this for the benefit of the whole industry? Watch this space…