It could never happen here….or could it? What can UK pension trustees learn from cyber disruption on the other side of the world?
“This should not have happened”, says the statement on Australian pension fund UniSuper’s website, referring to a technical error that led to widespread disruption.
The exact cause of what went wrong is unclear. But an “inadvertent misconfiguration” led to UniSuper’s online cloud subscription being deleted by mistake. More than half a million pension savers went a week without access to their accounts.
It’s common to assume that pensions technology “manages itself”. We often forget the human involvement in configuring the technical solutions which underpin pension schemes. And humans sometimes press the wrong buttons!
In the spirit of the ICO’s recent report on “Learning from the mistakes of others”, what can we take away from the disruption at UniSuper?
- Some cyber risks sit within the scheme. Trustees are putting pen to paper on new or improved cyber policies, following expectations communicated by TPR over the last six months. Rightly, those policies generally address the risks of external attacks like hacking and phishing. But incidents stemming from human error can be just as catastrophic, so cyber controls shouldn’t cover just the risk of outside threats.
- Data theft isn’t the only risk to our members. Recent incidents in the UK pensions sphere have shone a light on the risks of data theft, which can be upsetting to members and even be a fraud risk. But service disruption, for example to payments of pensions or investment of contributions, is just as important to schemes. Continuity plans should be in place and rehearsed to manage the impact of cyber outages, even when there is full confidence in the schemes’ providers.
- IT systems changes are a risk area to be managed. One of the new modules in the General Code of Practice addresses IT system maintenance. TPR expects trustees to ask providers confirm that written policies are in place for maintaining, upgrading and replacing systems – which should cover, for example, the transition of a database to the cloud.
- Don’t lose focus on how providers interact. Very unusually, Google Cloud’s CEO gave a joint statement alongside UniSuper. Whilst technological solutions often work well in isolation, new risks emerge when providers begin to interact and systems or data are shared. Trustees’ cyber due diligence should focus as much on the join-up between providers, as on what happens within each of their providers’ systems.
- Check contracts now, to manage risk allocation later. The UniSuper statement talks about work continuing “around the clock” to sort out the system outage issues – no doubt an extremely expensive exercise. TPR expects suitable provisions on cyber to be included in contracts with providers. Whilst we may think “this could never happen here”, schemes will benefit from understanding – and where relevant, strengthening – providers’ cyber obligations in advance of any incident.