Reflecting on this summer’s global IT outages – lessons for pension schemes
After the Capita Cyber Security incident of March/April 2023 (which we discussed at the time here) and, more recently, BBC cyber security incident of May 2024 (which we also discussed here), the pensions industry arguably did not need another reminder of the importance of cyber security for its schemes and stakeholders.
However, the global IT outage that took place this summer (July 2024) has provided another such reminder – highlighting the heavy reliance of modern society on our digital infrastructure, and equally, the vulnerability of it.
The Outage
The outage, which affected industries worldwide, grounded flights and disrupted services in banking, travel, and broadcasting. The incident has been linked to CrowdStrike, a US-based cybersecurity company. A software bug appears to have resulted in computers attempting to restart and display various error messages.
While most affected operations recovered from the outage relatively quickly, litigation is following in its wake. Both consumers and providers reliant on the impacted services (such as US airline, Delta) are planning to sue for damages caused. The operational impact of a software bug can be unpredictable and severe – it is clear now however that the potential financial consequences of such a bug may last long beyond its initial sting.
Relevance for Pension Schemes
Pension schemes are not immune to such threats. They hold extensive personal data about scheme members and manage large assets, making them attractive targets for cyber criminals. The Pensions Regulator (TPR) is increasingly concerned about schemes’ resilience against system or data breaches, and has demonstrated as such by updating its cyber principles and inclusion of a cyber module in the recently published General Code.
Broadly speaking, TPR states that an effective system of governance for pension schemes requires measures to reduce cyber risk. Most relevant in this instance is that of having the likes of a business continuity plan and incident response plan in place, so that the scheme is (a) prepared for the incident, e.g. by having back-up systems available to replace the affected systems, and (b) react promptly and effectively to other effects.
For example, the NHS released a statement early on in the outage, stating that they had “long-standing measures in place” – although they also noted that some systems were heavily affected.
IORP Risk Dashboard Update
In the same month, the European Insurance and Occupational Pensions Authority (EIOPA) has updated its ‘Institutions for occupational retirement provision’ (IORP) Risk Dashboard to report a predicted increase in digitalisation and cyber risk over the next 12 months. EIOPA states that,
“In terms of expected developments over the next year, this is the only category in the risk dashboard to display an increasing trend. Cyber security remained as a main concern.”
While this report is most relevant to institutions in the European Union, we have seen from the CrowdStrike outage that cyber risks can have global implications notwithstanding their point of origin. The dashboard also reflects the attitudes of UK pension scheme trustees, who recently cited cyber security threats as a top concern in a survey published by Lane Clark & Peacock.
Conclusion
The IT outage underscores the modern world’s reliance on IT infrastructure. It serves as a reminder of the importance of having contingency plans in place for when the arguably inevitable happens (TPR’s guidance states that schemes should assume that cyber incidents are now a matter of ‘when, not if’). Pension schemes, like all organisations, must ensure they are prepared for such incidents, highlighting the critical role of robust cybersecurity measures in safeguarding members’ benefits.
Read more @lexology