Data breaches and cyber attacks – managing the consequences
We all appreciate that pension schemes are increasingly coming onto the radar in the fields of data breaches and cyber controls, just as much as large corporations, government bodies and the financial services sector more widely. The data and assets held by pension schemes are a potential treasure trove to fraudsters and scammers too.
While this aspect of risk is something trustees themselves, as well as the Pensions Regulator, want to see appropriately managed, bringing it into the practical sphere of building a resilient set of measures is easier said than done.
Even knowing where to start takes time and effort but will, ultimately, pay dividends if a breach or attack occurs. At our recent client webinar in March, we looked specifically at the practical issues that come into play when thinking about a strategy and action plan to respond to data breaches and cyber attacks.
Identifying the building blocks and the actions that would need to be taken in practice to deal with a breach, as well as being aware of the sorts of risks that arise, will put schemes in good stead to cope with a situation if it arises.
The key building blocks will include:
- establishing the “who does what”, such as who will obtain the key information about the incident, who will provide the necessary technical support/advice required to understand what has happened, who makes the necessary decisions
- assessing the direct impact of a breach or incident and ongoing capability to carry out necessary functions
- identifying the appropriate responses and steps that follow a breach, from putting things right to communicating with employers, third part service providers, the authorities (such as TPR, the ICO or police) and members
- what queries, complaints and claims may flow from a breach and addressing matters such as evidence, advice and resolution options
- knowing what protections and sources of support or funds are available to deal with investigation costs, remedial steps and/or sanctions.
To build a robust and workable plan requires each building block in turn to be overlaid and meshed together with further layers of risk-controls and considerations that may need to evolve and be tested over time, and each scheme will ultimately have to work out which practical steps are likely to best manage their own specific risk and controls appetite.
But it’s not a simple “box-ticking exercise” or a “once done can be filed” aspect of a scheme’s controls. It’s much more important than that given that:
- IT-related attacks are constantly evolving, looking for weak points in systems and for individual opportunities to access data that can occur without warning
- there are rising levels of public scrutiny and awareness generally that cybercrime and scamming is a fast developing and worrying industry
- the potential fallout of a mis-handled response to an incident can be massive, wide-reaching and long-lasting.
So, being on the front foot and being able to demonstrate that considered thought is routinely being given to cyber controls before a breach has occurred will put a scheme in a much better light than only being able to tell a story of how it reacted to a breach after the event.