General code in force: 28 March 2024
- ‘Cyber risk’ refers to the risk of loss, disruption, or damage to a scheme or its members, because of the failure of its information technology systems and processes (see Identifying, evaluating and recording risks). Governing bodies should take steps to reduce the risk of incidents occurring, and appropriately manage any incidents that arise. Properly functioning cyber controls will assist governing bodies in complying with data protection legislation1, and may reduce liabilities in the event of a data breach.
- Under section 249A of the Pensions Act 20042, governing bodies of certain schemes must establish and operate an effective system of governance (see Systems of governance) including internal controls (see Internal controls). However, there are certain exemptions3. These controls need to include measures to manage cyber risk. The system of governance must be proportionate to the size, nature, scale, and complexity of the activities of the scheme.
- Under section 249B of the Pensions Act 20044, scheme managers of public service pension schemes5 are required to establish and operate internal controls, which are adequate for the purpose of securing that the scheme is administered and managed in accordance with the scheme rules6, and with the requirements of the law.
- The legal obligation to establish measures to manage cyber risk is different for public service pension schemes7. As far as cyber controls is a matter set out in the scheme rules8 or in the requirements of the law9, scheme managers of public service pension scheme must establish and operate adequate internal controls in relation to them. In such cases, internal controls need to include measures to manage cyber risk.
- To the extent that there is no legal obligation on scheme managers of public service pension schemes to adopt these cyber risks measures, we consider it good practice to do so.
- Governing bodies should also consider how topics in this module interact with those in Maintenance of IT systems, Scheme continuity planning, and Systems of governance.
- Our expectations on processes and procedures for governing bodies are set out in paragraphs 8 and 9 below. Where using service providers, governing bodies should consider how well those providers are meeting these expectations. See Managing advisers and service providers. Governing bodies should also be aware of their responsibilities under Data Protection Act 2018.
- When assessing cyber risk governing bodies should:
- Ensure the governing body has knowledge and understanding of cyber risk.
- Understand the need for confidentiality, integrity, and availability of the systems and services for processing personal data, and the personal data processed within them.
- Have clearly defined roles and responsibilities to identify cyber risks and breaches, and to respond to cyber incidents.
- Ensure cyber risk is on the risk register and regularly reviewed. See Internal controls.
- Assess at appropriate intervals, the vulnerability of the scheme’s key functions, systems, assets (including data assets) to a cyber incident, and the vulnerability of service providers involved in the running of the scheme.
- Consider accessing specialist skills and expertise to understand and manage the risk.
- Ensure appropriate system controls are in place and are up to date (eg firewalls, anti-virus, and anti-malware products).
- When managing cyber risk governing bodies should:
- Ensure critical systems and data are regularly backed up.
- Have policies for the use of devices, and for home and mobile working.
- Have policies and controls on data in line with data protection legislation (including access, protection, use, and transmission).
- Take action so that policies and controls remain effective.
- Have policies to assess whether breaches need to be reported to the Information Commissioner (https://www.ico.org.uk).
- Maintain a cyber incident response plan in order to safely and swiftly resume operations. See Scheme continuity planning.
- Satisfy themselves with service providers’ controls. See Managing advisers and service providers.
- Receive regular reports from staff and service providers on cyber risks and incidents.
Glossary and legal references
Internal controls
- Arrangements and procedures to be followed in the administration and management of the scheme,
- Systems and arrangements for monitoring that administration and management, and
- Arrangements and procedures to be followed for the safe custody and security of the assets of the scheme.
Public service pension scheme
Schemes as defined in s318(1) of the Pensions Act 2004, established under section 1 of the Public Service Pensions Act 2013, new public body pension schemes and other statutory pension schemes which are connected to those schemes.
1 For example, Data Protection Act 2018 and the Retained Regulation (EU) 2016/679) (UK General Data Protection Regulation)
2 Articles 226A of The Pensions (Northern Ireland) Order 2005
3 Section 249A(3) Pensions Act 2004 [Article 226A (3) of The Pensions (Northern Ireland) Order 2005]
4 Articles 226B of The Pensions (Northern Ireland) Order 2005
5 As defined in section 318(1) of the Pensions Act 2004 [Article 2(2) of The Pensions (Northern Ireland) Order 2005]
6 As defined in Section 318(2) Pensions Act 2004 2004 [Article 2(3) of The Pensions (Northern Ireland) Order 2005]
7 As defined in section 318(1) of the Pensions Act 2004 [Article 2(2) of The Pensions (Northern Ireland) Order 2005]
8 As defined in Section 318(2) Pensions Act 2004 2004 [Article 2(3) of The Pensions (Northern Ireland) Order 2005]
9 The law includes the Data Protection Act 2018 and the Retained Regulation (EU) 2016/679) (UK General Data Protection Regulation)