How to respond effectively to cybersecurity incidents

In December, Richard Horne, the new head of GCHQ’s National Cyber Security Centre (NCSC), used his first major speech as a rallying call for collective action against an increasingly complex array of cyber threats including data breaches.

He said: “We need all organisations, public and private, to see cybersecurity as both an essential foundation for their operations and a driver for growth. To view cybersecurity not just as a ‘necessary evil’ or compliance function, but as a business investment, a catalyst for innovation and an integral part of achieving their purpose.”

The pensions industry should certainly be taking note.

The impact on the pensions sector

In September 2023, Infosecurity magazine reported a staggering 4,000% rise in cybersecurity breaches at pension firms.

While this compares an initial low number of six reported data breaches in 2021-22 against 246 in 2022-23, it shows a worrying increase – and a trend that is set to continue for reported incidents in 2023-24.

But statistics rarely tell the whole story, and only show reported incidents. In fact, a Freedom of Information request made to the Pensions Regulator (TPR) revealed it had not received any reports of cyber incidents from schemes as of 16 July 2024. Reporting to TPR is currently voluntary.

Furthermore, the 2024 Verizon Data Breach Investigation Report found that breaches involving third parties have increased by 68%, meaning the volume and impact of cyberattacks against the pensions sector is likely far greater than statistics alone suggest.

What is a cyber footprint and why is it important?

Most pension schemes share data with third parties, with many operating models wholly reliant on third parties for pensions administration and operational activity.

When mapping a cyber footprint, it’s important to consider everywhere that data is used – where data has been, where it is now and where it will go.

This is the starting point in understanding if a scheme is impacted by a reported data breach and is crucial in identifying the source of a cyber incident in an outsourced operating model.

Typically, pension schemes have some knowledge and documentation relevant to the third parties that they use.

However, this often lacks crucial detail regarding the type of data handled by the third party, and the overall impact to the scheme should the third party be impacted by a cyberattack.

Where to look

Many cyber footprint documents fail to include historic services where scheme data may still be retained, such as former outsourced providers and administrators.

While many third parties are obvious, some are less so, including indirect third parties or even fourth parties. For example, it’s common for third parties to use cloud software-as-a-service (SaaS) providers as part of their service delivery.

Where feasible, critical fourth parties should be included in the cyber footprint. Pension schemes have been impacted by breaches of global SaaS services such as file transfer services for payroll providers and large technology companies such as Microsoft, which are often targeted by sophisticated cyber criminals.

While schemes will have limited influence over fourth parties, it is important to understand the potential impact to the scheme and its members should the services used, or data stored, be breached.   

Be prepared to respond

Pension schemes are increasingly taking cyber risk seriously, with some regularly performing scenario-based cyber incident response exercises. However, we still see many response plans that don’t consider a third-party cyber incident scenario.

Once the cyber footprint is documented, schemes should work with their key third parties to understand their response, additional protection measures that are in place, and how communication and collaboration can be most effective.

The details of expected actions by third parties should be added to the scheme’s own response plan and used to inform response decisions, including regulatory and scheme member communications.

This creates a clear plan that can be rehearsed regularly, improving resilience against a real cyberattack and protecting scheme data, assets and members.

Stuart Leach is a member of the Society of Pension Professionals.