Aon says new cyber guidance is a good start but pension schemes need to do more

Aon, the leading global professional services firm providing a broad range of risk, retirement and health solutions, has welcomed new guidance from the Pensions Regulator on how pension schemes can deal with cyber risk. However, Aon is also cautioning that trustees need to think carefully about how it might be implemented in practice and what represents the best approach for their own scheme.

For most pension schemes, cyber risk is primarily managed by their providers, such as administrators, investment managers, actuaries.  For those schemes, understanding third parties’ security controls and any subsequent cyber risks is essential.  But the current practice of simply asking generic security questions is resulting in trustees having to take on a major project while potentially ending up no better informed of the risks.  

Paul McGlone, partner in Aon’s retirement business, said:
“Some of the guidance from the Regulator is quite detailed.  But while it’s helpful to have a well thought out scope of what you’re looking for, trustees may find themselves having to assess encryption standards, penetration testing and countless policies and sub-policies. That isn’t helpful. 

“Trustees should not need to become cyber experts. But they do need a way of determining how much detail to go into - and when to stop.  The approach needs to be proportionate to the risks and the size of the scheme.”

Where schemes are running their own services, such as an in-house administration team or investment function, the risks can be quite different.

Onno Janssen, CEO Aon Global Risk Consulting & Cyber Solutions EMEA, said:
"Whether pension schemes are administered in-house, or through a mix of third parties, the responsibility for the security of the sensitive data remains with trustees. Therefore they should be able to describe how their scheme’s sensitive data is securely stored, processed, accessed, and shared. If internal functions or third party providers are unable to add detail to that, then it might be prudent to dig a little deeper and consider engaging the help of security experts.”

As well as assessing providers, trustees also need to be alive to the other aspects of cyber risk.

Paul McGlone said:
“The Regulator has highlighted Incident Response Plans, and we fully support that.  We are working with schemes to put these in place for themselves, as well as understanding those set up by their providers.  Wider than this, we suggest trustees should be looking at insurance cover, as a typical trustee liability policy won’t cover many of the costs arising from a cyber attack.”

Onno Janssen said:
“It’s crucial to have an overall framework to deal with cyber risk.  That way issues such as insurance don’t get forgotten.  Aon has developed a six part cyber resilience framework that we use across all types of organisations.  This framework allows us to deal with cyber threats in a robust fashion - from assessing and quantifying the risk, testing and improving controls, transferring the risk away from the balance sheet by having appropriate insurance, and finally responding to an event or incident.  It ensures that in the rush to deal with the issue you don’t miss out an important step"

Paul McGlone said:
“Not the least risk are the trustees themselves. Even if providers have great controls, it only takes one trustee to be attacked for the whole system to be compromised.  There are some simple steps that trustees can take, and Aon’s ‘Trustee Security Policy’ addresses this, allowing schemes to adapt and adopt for their own trustees, and enabling them to have a common set of standards among themselves"

-------

About Aon
Aon plc (NYSE:AON) is a leading global professional services firm providing a broad range of risk, retirement and health solutions. Our 50,000 colleagues in 120 countries empower results for clients by using proprietary data and analytics to deliver insights that reduce volatility and improve performance.