Cyber crisis mode: what pensions trustees should be thinking about

Entities holding vast amounts of information will always be attractive targets for cyber-attack and pension schemes, and their service providers are no exception. When outsourcing giant Capita suffered a data breach in March, hundreds of pension schemes, and their trustees were thrust into (cyber) crisis mode.

To regain situational control – and convey this to worried individuals – communications with members and regulators, with legal, insurance, IT and forensic advisers became crucial. And that’s before the media got involved.

Clear and consistent communications

Establishing exactly what has happened can take time. However, a communications vacuum cannot be allowed to take hold while technical investigations are ongoing, as to avoid misinformation and conjecture.

While there may be limits to what can be shared and communicated – either because facts are yet to be established or because a statement could jeopardise ongoing ransom negotiations, messaging should seek to reassure those impacted that diligent processes are being enacted and remediation work is underway, with the help of relevant experts.

This applies to liaison with the stakeholders listed above (as well as the scheme sponsor) while thought must also be given to the method and not just the content of any communication.

Some comms are non-negotiable – reporting obligations to regulatory bodies must be fulfilled. Others, such as (reactive) media engagement and member updates, are tools which will benefit all parties if deployed correctly. For example, establishing clear channels for scheme beneficiaries to ask questions and receive updates will highlight proactivity and help to triage the expected wave of inbound enquiries.

Messaging must strike the right chords but remain consistent in any crisis. While tone or delivery method may differ slightly, depending on the stakeholder set it is aimed at, discrepancies are not acceptable and will be seized upon. Internal messaging will become public sooner or later, as scheme beneficiaries take to social media or online forums to share their experiences and concerns.

At this point, a critical crossroads is reached between reputational repair or erosion. Despite suffering an attack (directly or indirectly through a service provider), victim status will not last long. Decisive remediation work to restore data integrity, to shore up cyber vulnerabilities, and to provide ongoing assurance and protection for those affected, will (re)build trust and restore brand value.

Reassure, repair and review the cyber crisis

Of course, the best defence starts with preparedness and robust governance protocols. This extends beyond your own organisation to all parts of your supplier ecosystem – ‘you are only as strong as your weakest link’. Prevention, unfortunately, cannot be guaranteed in today’s cyber risk landscape, but preparation is better than cure and upfront planning reduces pressure mid-crisis.

When an incident does occur, reviewing the chain of events and key learnings is the first step towards process improvement. Trustee duties to scheme beneficiaries demand strong governance standards and the evolution of cyber threats dictates that such standards are constantly updated.

Head of Crisis Ryan McSharry and Senior Strategist Matthew Gilleard explore the key takeaways from the Capita hack for trustees in a recent article for Professional Pensions. The full article is available for subscribers to read here. You can also view our Crisis Communications services here.