Cyber Security and Business Continuity for Pension Schemes: webinar poll results and practical tips from our recent webinar mini-series

Burges Salmon recently teamed up with Barnett Waddingham (part of Howden) to deliver two interactive webinars with practical tips to develop cyber security and business continuity for pension schemes. The webinars were delivered by Samantha Howell (Director and Cyber Governance Lead in the Pensions team at Burges Salmon), Amy Khodabandehloo (Director in the Dispute Resolution team at Burges Salmon) and Karla Gahan (Head of Resilience Services at Barnett Waddingham (part of Howden)).

Across the two webinars, participants were asked to answer four questions on their scheme’s preparedness in various scenarios. A summary of the results of the poll questions is set out in this article. 

Webinar One – Five Practical Tips to Build Cyber Security for Pension Schemes

It was comforting to see that most participants knew that trustees should not rely on third parties for their cyber policies and procedures. The Pensions Regulator expects each scheme to have its own policies and procedures in place. It is not only important from a regulatory perspective - the importance of having cyber policies and procedures in place for practical reasons cannot be overstated, and having documentation that is catered to your scheme’s circumstances is going to be the most helpful for the trustees, both in times of calm and crisis. 

As a minimum, all schemes should have two cyber security documents in place: one that is proactive (such as a cyber security policy) and one that is reactive (such as an incident response plan or IRP).

It was encouraging to see that most participants had an IRP in place. A practical point that we often encounter as advisers is that trustees may not have immediate access to their IRP. Many trustees have their IRP saved only on a portal or on an email account. In the event of a cyber incident, it is possible that emails and third-party portals would become inaccessible, leading to critical delays in accessing the IRP during a live incident when time is critical.

We encourage trustees to hold a copy of their plan separately. This could be in hard copy or a local copy on another device. This ensures that in an incident involving critical service outages, the IRP is still accessible.

Webinar Two – Five Practical Tips to Develop Business Continuity for Pension Schemes

It was fantastic to see that a significant majority of attendees to our second webinar knew what a Business Continuity Plan (BCP) is. A BCP is a reactive response document for when there is an incident. It will typically be wider than an incident response plan (which may be limited to dealing with cyber incidents and data breaches), although the terms are often used interchangeably.

If a scheme only has a policy that covers cyber security and data breaches, trustees of those schemes should think more holistically about potential risks to their scheme that fall outside of those categories. 

A topical example of a business continuity risk that is not a cyber incident or data breach is the ongoing issues for the Civil Service Pension Scheme, whereby a change to the scheme’s administrator has been linked to members having “difficulty logging into the scheme's portal, incomplete pension details, long waits on customer service calls, and delays to pension quotes and payments”. 

It was interesting to see a 55/45 split of attendees who had tested one of their BCP and IRP and those that had not. In our experience, trustees can sometimes think that they must undertake a full 'wargaming' exercise to test their policies. While full testing is beneficial and appropriate for some schemes, it is not the only way of testing plans. For schemes with smaller budgets or for schemes who are in between full testing periods, light-touch testing can be carried out rather than formal end-to-end testing with external advisors. The primary takeaway from this section of the webinar was that it is important to test regularly, and that some testing is better than no testing. Without any testing, you have no way of knowing how your IRP or BCP will work when the time comes! 

Conclusion

The webinar recordings are available to view by clicking on the links below:

1. 5 Practical Tips to Build Cyber Resilience for Pension Schemes

2. 5 Practical Tips to Develop Business Continuity for Pension Schemes

The webinar recordings will also be available to view on Barnett Waddingham’s (part of Howden) Risk Portal. 

If you would like any more information regarding the cyber security, business continuity, data protection and AI advice that Burges Salmon offers, please consult our dedicated webpage. If you have any questions, please get in touch with Samantha Howell, Amy Khodabandehloo or your usual Burges Salmon contact. 

This article was written by Matthew Pegler, Ben Jonsmyth and Samantha Howell.