Clearer cyber risk guidance needed to help trustees combat pensions scams, says RSM UK

17 August 2023

The Pensions Regulator (TPR) has recently called on the industry to step up efforts to identify and report scams (Professional Pensions, August 7). As TPR coordinates a multi-agency response, including the Pension Scams Action Group (PSAG) to tackle scam threats, there is mounting pressure on trustees to protect members’ data and safeguard scheme assets. 

As TPR’s cyber security principles were last issued in 2018, RSM UK is calling on the regulator to provide an updated and clear path to compliance, including practical steps for trustees and scheme managers, and examples of best practice.

Stuart Leach, cyber risk partner at RSM UK says: ‘The forthcoming General Code guidance for cyber controls is open to interpretation. While it puts great emphasis on what trustees’ responsibilities are, it gives little reference to practical steps to remain compliant. Trustees and scheme managers often have limited expertise in this area, and broader cyber training to educate trustees on how to meet their obligations should be mandatory. With the threat of cyber-attacks increasing, some prescriptive guidance, providing solid examples of what trustees should do to protect their members would be welcome.’

Unison has also recently called on TPR to do more to ensure its members’ pensions are safe following recent data breaches. With the responsibility to mitigate risks to members firmly resting with trustees and their third parties, clearer guidance would be helpful. 

Stuart Leach adds: ‘While the Information Commissioner’s Office can impose fines and penalties for negligence leading to a data breach, it’s currently unclear how these would be applied, when practical guidelines for trustees are not in place. If a scheme suffers a cyber-attack or data breach due to a third-party error, trustees are still accountable, despite the lack of clarity on best practice.’

Stuart says the pensions industry could consider replicating the approach taken by other sectors: ‘Sectors such as financial services have enhanced their cyber security by providing prescriptive minimum standards on cyber controls and risk management. As these sectors have matured, cyber security standards have also evolved towards a risk and threat-based approach. This enables organisations to be more agile when managing specific cyber risks. This approach would provide much needed clarity for trustees, and could be considered by TPR to aid adoption and compliance of the General Code’.