Cyber security – how prepared and protected are LGPS Funds?
With the risk to local authorities / pension funds increasing, are Local Government Pension Scheme (LGPS) Funds doing enough to ensure their cyber security obligations are met so that member data and Fund assets are as protected as much as possible? We set out how we, alongside our sister company Marsh, can help LGPS Funds manage these risks.
The risks are real
With a variety of IT systems, 3rd parties, and volumes of member/asset data, pension funds are a prime target for cyber-criminals.
The impact of the Capita cyber-attack in 2023 is well publicised, and the fallout of this incident continues for the stakeholders involved. There have also been a number of incidents linked to local authorities already in 2024.
Indeed recent information released by the Information Commissioner's Office (ICO) shows disruptive cyberattacks affecting local authorities increased significantly with nearly 10 times as many ransomware incidents reported in 2023 relative to 2022. For the first time in 2023 the total number of data security incidents reported by local authorities exceeded 1,000.
Whilst such recent local authority attacks aren’t linked to the LGPS, together with the Capita incident they highlight the real risks faced and the importance for LGPS Funds to manage these risks.
Regulatory focus
From a regulatory perspective, the focus in this area is also increasing.
The Pensions Regulator issued an updated set of guidance principles in December 2023 that confirmed it expects Trustees and Scheme Managers to:
Diagram showing the cyclical flow of the Pensions Regulator's updated set of three guidance principles:
- Assess and understand the risks faced.
- Ensuring controls are in place to manage those risks.
- Be able to respond to and report incidents when they occur.
There is certainly a greater emphasis now on “when” a cyber incident occurs rather than “if” recognising the greater threat Funds now face relative to a few years ago.
Coupled with the updated guidance issued, the Regulator’s General Code includes a module in relation to Cyber Controls setting out recognition of the adequate controls public service pension scheme governing bodies need to have, and setting out the measures it expects them to adopt as good practice to Assess and Manage cyber risk – aligning with the updated principles and guidance issued in December.
Being able to demonstrate how cyber risks are being assessed and managed will therefore form a key part of adherence to the Code whilst ultimately improving the overall governance of the Fund.
How we can help
-
TrainWe can help ensure Committee/Board and officers are aware of what cyber risks are and the importance to the Fund alongside conveying important messages around individual cyber hygiene.
-
DocumentWe can help prepare/review policy documentation for the Fund (linking back to host authority where appropriate) alongside preparing/reviewing Fund specific incident response plans.
-
AssessWe can help map and understand data flows, consider Funds' exposure to 3rd parties and assess/understand their management of cyber risk.
-
TestMarsh will be able to run a crisis simulation workshop for Funds to test plans and refresh accordingly.
-
InsureWe can also provide details on the support Marsh can provide in relation to the quantification of costs emerging from a cyber incident and associated insurance.
Aside from the above we would be recommending that Funds continue to:
- monitor the risks e.g. through inclusion on its risk register,
- liaise with host authority / 3rd parties on a regular basis,
- communicate to stakeholders where appropriate e.g. member newsletter etc.
- Senior LGPS Benefits/Governance Consultant
- Cyber Security Specialist