Almost a quarter of trustees of UK pension schemes have still had no training on the risk of cyber crime, according to a new survey by re/insurance brokerage Aon.
While 95% of respondents to Aon’s Global Pension Risk Survey 2019 said their schemes had not been affected by cybercrime, a handful confirmed that they had been, and analysts expect this number to increase.
“It’s encouraging that 77% schemes have undertaken some form of cyber training or plan to have it in the next 12 months,” said Vanessa Jaeger, principal consultant at Aon. “But that still means that 23% are ignoring one of the key risks facing modern business.”
“Getting some training is the first and simplest thing that trustees can do in considering the risk – just so they can fully understand some of the issues and know how to take informed actions,” she explained.
Aon believes that in some cases this lack of action is where schemes may have outsourced services to third parties, assuming the issue lie with them.
However, if those suppliers are impacted by a cyber attack, trustees will have no plan in place to manage the situation and may find that they are struggling to support their scheme members and to know what actions to take, the broker noted.
The survey found that around of two-thirds of UK pension schemes currently have no documentation of cyber risks, mitigations and security policies and procedures, while half had not carried out a review of data transfer agreements.
“The natural follow on from any training is to have an incident response plan,” Jaeger continued. “That can vary from a list of contact details and a checklist to a robust plan of action.”
“60% of respondents said that they do have one of these or plan to do so within the next year,” she noted. “But bear in mind that the Pensions Regulator (TPR) has stated that good governance includes establishing and testing your incident response plan – so the other 40% of schemes needs to act swiftly.”
“But the planning shouldn’t stop there,” Jaeger further stated. “This is a real and ever-growing threat, so trustees and pension scheme sponsors need to be alive to the issue and to have had some training around it.”
“They should also repeat the training at least every two years; cyber criminals’ tactics and techniques continue to evolve so it’s vital to stay as up to date as possible on what is – sadly – a growing and changing risk.”