Publication
Government Investigations in Singapore 2025
We have contributed the Singapore chapter of Getting the Deal Through, Government Investigations 2025.
United Kingdom | Publication | June 2023
Pension scheme trustees have been aware of the need for cybersecurity for some time now. Cybersecurity means protecting your electronically secured data, and the IT systems used to process that data, from unlawful outside interference, access or use. At the time of the lockdown during the Covid pandemic, “conventional” crime was hugely reduced but the level of cybercrime exploded - that threat has not receded. In the 12 months ending September 2022, almost half of all crime committed was cybercrime or fraud. In the UK, organisations and individuals are now two and a half times more likely to suffer fraud or cybercrime than any other crime. In the same period, some 44 pension schemes reported successful cyber-attacks to the Information Commissioner’s Office (ICO).
The upshot is that trustees clearly need to be on their guard. In the pension scheme context, cybersecurity breaches can include:
What makes pension schemes such attractive targets, and therefore more vulnerable to a data breach?
Pension schemes are tempting targets to cybercriminals due to the rich source of personal data they control and process. Schemes are particularly vulnerable to ransomware attacks, since paying scheme benefits uninterrupted and as expected is crucial. Some are especially susceptible as they are not properly prepared for an attack. What are the potential impacts of a successful cyberattack? A breach can affect the financial and operational function of the scheme in the timely payment of benefits, it can have legal repercussions for the trustees in terms of fines and sanctions from the Regulator, and it can have adverse reputational consequences for the employer, trustees, advisers and administrator too. We have outlined below the specific types of cyber threat of which trustees should be aware.
Cybercriminals have various means of attempting to breach cybersecurity. They apply as much to pension schemes as to any other form of business:
Currently, one of the fastest growing cyber threats is the compromise of software at some point in the supply chain. The chain is only as strong as its weakest link, so it’s necessary to take effective measures to build resilience and raise standards right along it.
Next, we look at the essential steps to building resilience and raising standards in case of attack.
What do we mean by a pension scheme’s supply chain? Essentially, it’s anyone who manages, administers or advises the scheme. It will include the trustees, the sponsoring employer, the administrator, the lawyer, the actuary and any other advisers. It is important for every link in the scheme’s chain to manage and build resistance to attack.
First, as trustees you should address information security in your supply agreements. At the outset, you need to conduct due diligence in assessing the potential cyber risk and ensure that you understand the terms relating to security in any contracts with your advisers and administrators. Some of the questions to ask yourselves include:
The Regulator issued guidance on cyber security principles for pension schemes in 2018 and this still remains valid. In the draft General Code it also focuses on the management of IT systems more generally. Some of the Regulator’s expectations are examined more closely below.
The load of expectation from the Regulator may seem overwhelming, especially for smaller schemes, but the Regulator’s message is “don’t panic”. Cyber controls, it notes, are similar to any other form of internal control, although it recognises that it may feel different as cybercrime is constantly evolving and unfamiliar. Generally, cyber controls complement the trustees’ duties under data protection law in processing personal data. The Regulator has outlined specific expectations in terms of prevention, detection and response:
Here, we’ve taken extracts from the Regulator’s draft General Code and provided more detail from the guidance on the Regulator’s expectations of trustees in relation to cyber controls, IT system maintenance and business continuity. These apply for the scheme’s internal systems and for oversight of service provision from the scheme’s suppliers. Trustees are not expected to be experts themselves, but they are expected to understand the issues for discussion with their service providers and to ensure that their own systems are compliant.
Cyber controls
Maintenance of IT systems
Business continuity plan
We are seeing an increased focus on cyber risks and the rising presence of controls. Controls are more likely to be in place in larger schemes, which is understandable but small schemes still need to take a proportionate approach. The numbers of trustee bodies with the expected level of preparedness and resilience are growing but incident report plans are by no means universal. Administrators must be a key focus for trustees but the whole scheme environment and advisory chain should be considered, including individual trustees themselves, who are likely to work from home.
In its statement following a recent and well-publicised cyber security incident, the Regulator reminded trustees that they are responsible for the security of members’ data, and they should check whether their data could be affected. The incident shows the importance of having a robust cyber security and business plan in place.
Norton Rose Fulbright LLP has a dedicated Information Governance, Privacy and Cybersecurity team. We can help you with getting up to date on protecting your scheme’s systems and data, and we can also be there for you if a cybersecurity incident does occur. If you would like to know more, please get in touch with your usual Norton Rose Fulbright pensions contact.
Publication
We have contributed the Singapore chapter of Getting the Deal Through, Government Investigations 2025.
Publication
The private credit market and direct lending have grown and diversified immensely in the past decade, offering alternative sources and terms of debt compared to those historically provided by the syndicated leveraged loan and public issuance markets. Consequently, they are fast becoming pivotal components in the capital ecosystem, so much so that the Bank of England consider that the private credit market is currently responsible for approximately $1.8 trillion of debt issuance, which is four times its size in 2015. This growth has been particularly pronounced in Europe and the US but there has also been significant activity in Asia.
Publication
The EU’s Artificial Intelligence Regulation, commonly referred to as the AI Act, is expected to come into force during the summer of 2024 (the AI Act). The AI Act will be the first comprehensive legal framework for the use and development of artificial intelligence (AI), and is intended to ensure that AI systems developed and used in the EU are safe, transparent, traceable, non-discriminatory and environmentally friendly.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2023