In April 2023, an outsourcing firm that administers pension funds for large organisations experienced a cyber incident which serves as a reminder for trustees of the need to address third party risk as part of robust cyber security and business continuity planning.
In a statement after the incident, the impacted firm said there had been limited data exfiltration from its affected server estate, which might include customer, supplier or colleague data. As a result of this, pension schemes that use this administrator will need to consider writing to their members about potential data loss.
The incident is also a warning for the wider pensions industry and the Pensions Regulator has reminded trustees that they are responsible for the security of their members’ data, highlighting its best practice cyber security guidance for minimising risk and building greater cyber resilience.
One of the key steps in the regulator’s cyber security guidance is around third party risk and trustees need to ask themselves the question “Have you assured yourselves of your third party providers’ controls?” Meeting this requirement is currently broadly done in three ways:
1. Due diligence questionnaires
The use of due diligence questionnaires is common, but questionnaires provide very limited comfort over a risk as critical as customer data protection because they are not subject to audit or verification. Questionnaires are also limited by what information third party administrators are willing to give away. Cyber security information is held tight for a reason, to keep those security arrangements secure, which makes independent critical assessment by trustees difficult.
2. Certifications
Some third party administrators try to address this subject through certifications such as ISO 27001. While certifications have a role, they do not typically give detail on the underlying controls or the scope of the coverage and are not always refreshed regularly enough to stay current. Consequently, certification alone may not give pension schemes enough information to meet the regulator’s expectations.
3. Controls-based independent assurance
The commonly obtained SOC 1 or AAF 01/06 controls report can give basic IT general controls comfort. However, the best answer is obtaining a SOC 2 report, including an independent external auditors’ opinion, on the design and effectiveness of an organisation's controls for managing customer data. Pensions schemes should seriously consider demanding this level of reporting from their administrators.
The advantages of a SOC 2 controls report
A number of features in SOC 2 help to provide more powerful assurance to pension trustees. These include:
- Controls and scope detail - Unlike a certification, a SOC 2 report allows a reader to be informed about the relevant controls at an appropriate level of detail, making the controls and scope of coverage clear without giving away cyber security crown jewels.
- Independent expertise - A SOC 2 opinion from a reputable independent auditor also helps to address another of the regulator’s cyber security guidance questions: “Do you have access to the right skills and expertise to understand and manage the risk?” A SOC 2 report from a known auditor is a good way of demonstrating that the right skills and expertise have been engaged.
- Audit rigour - A SOC 2 report is backed by an audit opinion, which drives an inherent level of audit rigour in the testing to support the opinion.
Next steps for trustees
Simply obtaining a SOC 2 from a pensions administrator is just the first step. Trustees then need to read and understand the SOC 2, what it covers, and the ramifications of any issues identified. Crucially, trustees need to hold administrators to account for addressing those issues.
The Pensions Regulator’s notice on this recent cyber security incident ended with a reminder that it may engage with trustees further to understand the steps they have taken and what progress has been made to build cyber resilience. Obtaining and demonstrating review of a SOC 2 from your administrator can provide trustees with one part of a robust answer in such discussions.
Find out more about third-party controls reports can help with cyber security and operational resilience or contact Timothy Ruangvorarvat for more information.
