LGPS | Cyber Security Briefing | May 2024

Cyber security Are you as prepared and protected as you can be?

With the risk to local authorities / pension funds increasing, is your Fund doing enough to ensure its cyber security obligations are being met so that member data and Fund assets are as protected as much as possible? We set out below how we, alongside our sister company Marsh, can help you manage these risks.

On this page

The risks are real

Regulatory focus

How we can help

The risks are real

With a variety of IT systems, 3rd parties, and volumes of member/asset data, pension funds are a prime target for cyber-criminals.

The impact of the Capita cyber-attack in 2023 is well publicised, and the fallout of this incident continues for the stakeholders involved. There have also been a number of incidents linked to local authorities already in 2024.

Indeed recent information released by the ICO shows disruptive cyberattacks affecting local authorities increased significantly with nearly 10 times as many ransomware incidents reported in 2023 relative to 2022. For the first time in 2023 the total number of data security incidents reported by local authorities exceeded 1,000.

Whilst such recent local authority attacks aren’t linked to the LGPS, together with the Capita incident they highlight the real risks faced and the importance for LGPS Funds to manage these risks.

Regulatory focus

From a regulatory perspective, the focus in this area is also increasing.

The Pensions Regulator issued an updated set of guidance principles in December 2023 that confirmed it expects Trustees and Scheme Managers to:

There is certainly a greater emphasis now on “when” a cyber incident occurs rather than “if” recognising the greater threat Funds now face relative to a few years ago.

Coupled with the updated guidance issued, the Regulator’s General Code includes a module in relation to Cyber Controls setting out recognition of the adequate controls public service pension scheme governing bodies need to have, and setting out the measures it expects them to adopt as good practice to Assess and Manage cyber risk – aligning with the updated principles and guidance issued in December.

Being able to demonstrate how cyber risks are being assessed and managed will therefore form a key part of adherence to the Code whilst ultimately improving the overall governance of the Fund.

How we can help

We acknowledge that Funds will be at different stages in their cyber journey. Alongside cyber security specialists from our sister company Marsh, we can provide you with the help and support needed to ensure you assess and manage your cyber risks in each of these key areas.

Train
We can help ensure Committee/Board and officers are aware of what cyber risks are and the importance to the Fund alongside conveying important messages around individual cyber hygiene.
Document
We can help you prepare/review policy documentation for the Fund (linking back to host authority where appropriate) alongside preparing/reviewing Fund specific incident response plans.
Assess
We can help you map and understand data flows, consider your exposure to 3rd parties and assess/understand their management of cyber risk.
Test
Marsh will be able to run a crisis simulation workshop for you to test plans and refresh accordingly.
Insure
We can also provide details on the support Marsh can provide in relation to the quantification of costs emerging from a cyber incident and associated insurance.

Aside from the above we would be recommending that the Fund continues to:

  • monitor the risks e.g. through inclusion on its risk register,
  • liaise with host authority / 3rd parties on a regular basis,
  • communicate to stakeholders where appropriate e.g. member newsletter etc.

Ultimately, depending on what stage you are currently at, we can work with you to develop a solution that ensures your needs are met and objectives achieved.

For further information on how we can help, please contact:

Jonathan Perera

Senior LGPS Benefits/Governance Consultant

jonathan.perera@mercer.com

Sarah Rafferty

Cyber Security Specialist

sarah.rafferty@marsh.com

Contact us

For more information on how Mercer can help LGPS Funds and their stakeholders, visit www.uk.mercer.com/lgps or contact your usual Mercer consultant.

Important notes

This content is for information purposes only. It does not constitute advice specific to your Fund and you are responsible for obtaining such advice. Mercer does not accept any liability or responsibility for any action taken as a result of solely reading it.

This contains confidential and proprietary information of Mercer and other intellectual property rights and is intended for the exclusive use of the parties to whom it was provided by Mercer. Its content may not be modified, sold or otherwise provided, in whole or in part, to any other person or entity, without Mercer’s prior written permission.

© 2024 Mercer Limited. All rights reserved.

Issued in the United Kingdom by Mercer Limited which is authorised and regulated by the Financial Conduct Authority. Registered in England and Wales No. 984275. Registered Office: 1 Tower Place West, London, EC3R 5BU.