The OPS (Governance) (Amendment) Regulations 2018 came into effect in January 2019 and the Regulator has been reviewing their codes of practice to incorporate this and combine the content of 10 current codes of practice to form a single, shorter code.
Whilst these codes aren’t statements of law, they detail what’s expected for good governance to comply with Pensions law.
These new codes were developed in phases, and the draft content for the first phase of the new code of practice was issued for consultation earlier this year.
Risk management is a key area in the new code, and it includes:
- Identifying and assessing risk
- Managing risk using internal controls
- Assurance of governance and internal controls
- Continuity planning
- Conflicts of Interest
- Own risk assessment
The code states that “It is not necessary, nor possible, to eliminate all risks from a pension scheme. Governing bodies should use risk management as a tool to identify risk and develop internal controls”
Trustees are expected to have an effective system of governance, including internal controls proportionate to the nature of the scheme.
Cyber Risk
Cyber risk is wrapped up in the new single code of practice
The management of internal controls need to include measures to reduce cyber risk. In assessing cyber risk, trustees should not only consider the vulnerability to a cyber incident of the scheme’s key functions, systems, and assets, but also the vulnerability of service providers involved in the running of the scheme.
Many schemes use third party organisations to run their scheme and many have included a statement on their website of how they’ve continued to work and operate effective controls during the pandemic. Many also have audited Type 2 reports (AAF 01/06 and SAS70) on their controls.
The code usefully breaks down the guidance into practical steps of assessing and managing cyber risk. These are reproduced below and the full draft of the code can be found here: https://www.thepensionsregulator.gov.uk/-/media/thepensionsregulator/files/import/pdf/full-draft-new-code-of-practice.ashx
Assessing cyber risk
- Ensure the governing body has knowledge and understanding of cyber risk.
- Understand the need for confidentiality, integrity and availability of the systems and services for processing personal data, and the personal data processed within them.
- Have clearly defined roles and responsibilities to identify cyber risks and breaches, and to respond to cyber incidents.
- Ensure cyber risk is on the risk register and regularly reviewed.
- Assess, at appropriate intervals, the vulnerability to a cyber incident of the scheme’s key functions, systems and assets (including data assets) and the vulnerability of service providers involved in the running of the scheme.
- Consider accessing specialist skills and expertise to understand and manage the risk.
- Ensure appropriate system controls are in place and are up to date (e.g. firewalls, anti-virus, and anti-malware products).
Managing cyber risk
- Ensure critical systems and data are regularly backed up.
- Have policies for the use of devices, and for home and mobile working.
- Have policies and controls on data in line with data protection legislation (including access, protection, use and transmission).
- Take action so that policies and controls remain effective.
- Have policies to assess whether breaches need to be reported to the information commissioner (ico.org.uk).
- Maintain a cyber incident response plan in order to safely and swiftly resume operations. Learn more in Continuity Planning.
- Satisfy themselves with service providers’ controls (see Managing advisers and service providers).
- Receive regular reports from staff and service providers on cyber risks and incidents.
