New reasons to double down on efforts to build pension scheme cyber resilience
At a recent discussion forum on cyber risks for pension schemes, I was struck by a theme emerging from the questions being asked: that, while in the past cyber had been just another one of the risks that trustees should acknowledge, there was now a tangible sense of cyber being a real risk. And indeed, there are some new reasons why doubling down on efforts to build your scheme’s cyber resilience now makes sense.
- Pension schemes are in the frame for cyber attacks – more now than ever
There are some frightening reports out there about the increase in cyber attacks generally, but especially since the start of the pandemic – google it but also think about the marked increase in the number of spurious ‘phishing’ calls and emails you’ve probably received on your devices. In the context of pension schemes, the increased reliance on remote access technologies has created new vulnerabilities and, as pension schemes are essentially a pool of assets with a duty to make payments to beneficiaries on a regular basis, they are juicy targets for cyber criminals. Indeed, it was widely reported in July 2020 that an unnamed pensions administrator suffered – and thwarted – a ransomware attack. And, from speaking to pension scheme administrators, it’s clear that attempted cyber attacks are an extremely regular occurrence. So, cyber risk for pension schemes is a real risk now more than ever.
- Increasing formality of cyber risk regulation in progress
The Pensions Regulator (TPR) first published cyber security guidance for pension schemes trustees in April 2018. Since then it has been ‘banging the drum’ about the importance of trustees understanding cyber risk, their schemes’ vulnerabilities and the need to build a cyber-resilient pension scheme, including by having an incident response plan in place. But a quiet step change in the regulatory backdrop is currently being consulted on as part of TPR’s new single code of practice in which cyber risk gets its own module. This is a step change from a legal perspective because it elevates the regulatory expectations on cyber management from guidance to code of practice and a Court or tribunal must take account of codes of practice when deciding cases. It’s not a surprise that TPR is proposing this elevation but it does give pension scheme trustees another reason to up their game on cyber.
- The rise of distress-only group litigations?
Not quite as catchy as “The Rise of Skywalker”, I know. But this is something that trustees need to be aware of and, to my knowledge, isn’t yet much discussed by trustee boards. The 2015 Court of Appeal decision in Google v Vidal-Hall established that distress-only claims, ie claims for compensation even where the claimant has not suffered any financial loss, can be brought under data protection legislation (the principle was decided under the old Data Protection Act but it applies under the new one too). And individuals, often spurred on by claims management firms, are taking advantage of this change in the interpretation of the law by clubbing together to claim damages for distress caused by data and cyber breaches. Pension schemes are not immune to this. For example, less than 2 months ago it was reported that a group of Sussex police officers had issued a distress-only claim at the High Court against their pension scheme’s administrator. So, it’s not just the risk of large regulatory penalties for data breaches that pension scheme trustees need to watch out for.
Sackers are experienced in helping clients get their cyber house in order. There are lots of practical steps that trustees can take to build their cyber resilience and get trustees feeling that they are on the front foot in terms of knowing what they’d do if their pension schemes suffered a cyber event.