The Pensions Regulator has published its cyber security guidance paper to advise trustees on how to ensure cyber resilience, the preparations that need to be in place to secure data and how to respond to a cyber security breach.

TPR's trustee paper, Cyber security principles for pension schemes, has outlined three key areas that need to be addressed to protect scheme members and assets from cyber risks. These include: governance duties, controls that should be in place and incident response plans.

As trustees and scheme managers are accountable for the security of pensions schemes, TPR notes that "roles and responsibilities should be clearly defined, assigned and understood."

The guidance paper states that trustees should have cyber risk on their risk register and should ensure that sufficient controls are in place to minimise the risk of cyber breaches involving systems, processes and people.

In addition to ensuring internal scheme processes are protected, TPR has also advised that trustees should be assured that all third party suppliers have sufficient controls in place.

TPR's paper advises that controls should also be in place around IT infrastructure. "Multiple layers of security" should be implemented around IT systems "in line with the Information Commissioner's Office's (ICO) guidance on IT security" and data should be regularly backed-up, it states.

Furthermore, TPR highlights that trustees must have an incident response plan prepared to enable schemes to "swiftly and safely resume operations".

TPR states that the plan should include the roles and responsibilities of the response team, an understanding of in-crisis communications and how they will be made to trustees and the thresholds and time limits for notifying involved parties. These include informing the ICO, TPR or FCA as appropriate, as well as law enforcement, third parties and scheme members.

"Incidents should be documented and major incidents should be followed up by a post-incident review to update security processes," the paper stated. With this, trustees should also be aware of their third party suppliers' incident response processes, TPR said.

While welcoming TPR's guidance, Aon retirement business partner Paul McGlone said: “Trustees should not need to become cyber experts. But they do need a way of determining how much detail to go into - and when to stop. The approach needs to be proportionate to the risks and the size of the scheme."

Revealing TPR's intention to publish a cyber security paper at a Pensions Age conference earlier this year, TPR policy lead Lucy Stone highlighted: “Pension schemes are very valuable targets to cyber criminals, personal information are valuable, marketable commodities."

In order to change the way data is protected, Stone noted that the regulator “wants to change the dialogue” around administration. She emphasised that when it comes to the protection of scheme information, it is not just about administrators, but also trustees, advisers and employers need to be responsible. Schemes need to “look at the whole footprint”, she added.

Share Story: