Skip to main content
Article | Pensions Briefing

Cyber security for pension schemes

Protecting your scheme from cyber-related risks

Risk & Analytics|Cyber Risk Management|Pensions Risk Solutions

By John Norris | March 18, 2019

Trustees need to consider the Pensions Regulator’s recommendations on managing cyber risk.

Cyber risk is on the rise. In this article John Norris provides some insights into the practical steps pension trustees can take to start to address this relatively new threat and strengthen their scheme's cyber resilience.

Cyber-related incidents are increasing and come in different guises. A month does not pass by without news coverage of a further significant cyber event or data breach. Whilst UK pension schemes have been relatively unscathed to date, they are an attractive target to cyber criminals in terms of the size of assets and volume of membership data that they hold, which often includes employment and financial details. Whilst some cyber-attacks are targeted, others are indiscriminate and will simply exploit those organisations or businesses with the weakest defences.

A month does not pass by without news coverage of a further significant cyber event or data breach.

For trustees, who are responsible for ensuring that their pension schemes have internal controls and appropriate risk management, getting to grips with cyber-related threats is a challenge. Not only is ‘cyber’ a relatively new risk, it is evolving quickly and is far broader than the misconception of being a technical issue.

So where should trustees start?

In April 2018, the Pensions Regulator published its ‘Cyber security principles for trustees’ which outline seven broad areas for trustees to consider. The statement includes a combination of guidance and expectations that trustees are encouraged to follow and is a very good reference point to help trustees to develop their approach to managing cyber-related risks.


Training on issues and regulation


Access to skills and expertise


Likelihood and impact

Risk management

Update risk register

Internal controls

Trustees and service providers. GAP analysis

Incident response plan

Plan of action if incident occurs

Roles and responsibilities

Agree and document

Think holistically

‘Cyber’ is easily associated with computers and computer networks or ‘cyberspace’. However, in the context of information security, cyber-related risks can arise from a range of digital and electronic channels, laptops, mobile equipment as well as electronic communications such as emails, SMS/messaging and telephones. These are all used in nearly all aspects of running pension schemes, increasing exposure to cyber threats whether they are triggered by malicious acts, negligent misuse or loss.

Fortunately, there are a range of activities that trustees can take to improve their scheme’s information security and in doing so, reduce exposure to cyber-related risks. Surprisingly, some of these measures are simply good old fashioned ‘housekeeping’ activities (eg ensuring authorised signatory lists are up-to-date, reviewing risk registers etc) whilst others require action to be taken.

Over 80%* of cyber fraud and crime is probably preventable through common-sense practices and comprehensive information security training .

Over 80%* of cyber fraud and crime is probably preventable through common-sense practices and comprehensive information security training for operatives and staff. Trustee directors also have an individual role to play by adopting good practice; don’t use personal email accounts, do use encryption, update passwords and maintain anti-virus and firewalls. More generally, trustees should exercise caution and be able to spot signs of malicious software (or ‘malware’) attempts and social engineering risks (eg email scams, hoax calls).

Be organised

Trustees should develop their own Information Security framework. In simple terms, this is an action plan that trustees can work through with their service providers and will be invaluable for prioritising the steps that need to be taken. Such plans also demonstrate what trustees have done to meet the Pension Regulator’s expectations.

Information security – action plan

Information security – action plan

Understand the issues

Trustees do not need to be experts in the field of IT or computer code.

Thankfully, trustees do not need to be experts in the field of IT or computer code, but they do need an understanding of the risks and how their scheme may be vulnerable to cyber-attacks. The effective operation of a pension scheme typically requires complicated flows of money and data, multiple service providers to deliver key functions and systems as well as member interaction. These factors, sometimes labelled the ‘cyber footprint’, all contribute to a pension scheme’s exposure to cyber threats, malicious or otherwise. Trustees should arrange a training session to work through these issues and help them better understand what actions are needed.

Once trustees have an understanding of their scheme's operational functions they can start to check their third-party service providers such as the administrator, actuary, consultants, investment managers, etc. As a minimum, trustees will want to get copies of their providers’ information security policies and look at the results of the latest independent audit of their internal controls. This can be generally done as a ‘desktop’ exercise and will provide a high-level indication of how robust the providers are and if there are any immediate red flags that should give cause for concern.

Skills and expertise

The Pensions Regulator expects all trustees to at least consider whether they need to appoint a cyber risk expert. For trustees who may feel daunted at reading through information security policies, some external help may be a good option. Trustees can gain valuable assistance from cyber experts; from conducting cyber assessments, improving controls and practices, helping to quantify the risk as well as advising on appropriate ‘risk transfer’ solutions such as through liability insurance. Factors to consider include:

  • What is the scheme’s specific experience (e.g. have there been past data issues, incidents of maladministration)?
  • The size of assets and volume of data at risk.
  • The complexity of a pension scheme’s structure (e.g. the number of service providers, information and data flows).
  • Is the sponsoring employer looking at cyber already or willing to work with the trustee?

A key to success is finding a cyber expert who has knowledge of how pension schemes work.


*Source: The Cyber Security Breaches Survey 2018

Contact Us