Cyber Risk for pension schemes
Cyber risk is an issue that every business now recognises as a threat. As that threat has grown, impacting organisations more frequently and in ever more innovative ways, so business owners and managers have taken actions to protect their assets and respond to incidents. And though our extensive cyber solutions business Aon has been are the forefront of that development, helping corporates globally to assess, insure and respond to those threats.
But while there has been a rush to protect core business activities, the pension schemes associated with those businesses are often overlooked. Those pension schemes may not present a risk to the company's own operations, but they are just as much of a threat to their reputation.
Pension schemes in the UK could easily be subject to a cyber incident, either accidental or deliberate. Whether they are defined benefit or defined contribution, pension schemes hold lots of member data (all of which has a value on the dark web), lots of liquid assets (which are at risk of being intercepted when they move), operations that are outsourced to third parties (which means lots of potential access points) and are overseen by trustee boards who are likely to have limited experience of cyber issues or access to cyber expertise.
Scheme sponsors are increasingly recognising these risks and looking to ensure that their pension schemes are robust. Sponsors cannot take over the running of the scheme – that rests with the trustees – but they can challenge the trustees to ensure that they have taken some basic steps to protect their schemes and, as a result, the Company. And with Aon's unique expertise in both pension issues and cyber issues, we can help companies to ensure any action is both proportionate and effective.
Common actions in UK pension schemes include:
- Training programs, to ensure trustees and sponsors understand the issues
- Assessment of third party suppliers, either through the business or an external expert
- Assessing trustees’ own risks, particularly those working from home
- Incident response plans, including understanding the links with the corporate plan
- Testing the plan, often through an interactive simulation exercise (‘war game’)
- Lining up specialist incident response support, either from sponsor or elsewhere
- Considering cyber insurance, either directly or on the back of the corporate policy
The majority of UK pension schemes are now working through such steps. They do not have to be time-consuming or expensive. In contrast, not being well protected could end up being very expensive for members, the scheme and the business.
Aon Solutions UK Limited is authorised and regulated by the Financial Conduct Authority.