Minutes:
At the Chair’s invitation, the Governance and Regulations Manager presented the report and updated the Pensions Committee on the progress of the Cyber Resilience Strategy. Since the strategy was approved at the last Pensions Committee on 11 October 2021, officers have reviewed the action plan and undertaken work to increase understanding of the actions required in order to comply with the Pensions Regulator.
In terms of the mapping of data and asset flows exercise, the Fund’s governance advisors Aon, had provided a template to assist with the exercise recording data and assets and identifying the security of information being transferred as well as risks from transactions. The maps had been presented to the Local Pension Board, and the Governance and Regulations Manager was happy to circulate the information outside of the meeting as it was difficult to present the maps effectively during the meeting.
The mapping exercise enabled the Fund to identify the four suppliers which presented the greatest security risk, and as a result a cyber security questionnaire had been sent to the four suppliers. The four suppliers identified were West Northamptonshire Council as the provider of pensions administration; Hymans Robertson as the actuarial services provider; Aquila Heywood as a provider of pensions and payroll hosting services; and Accurate Data as they delivered mortality screening and member address tracing services. The Governance and Regulations Manager was happy to report that the Fund had received response from all four suppliers. These responses were currently being reviewed by Aon and the Pensions Committee would receive an update at the next meeting in March 2022.
The Governance and Regulations manager continued that the Fund were currently looking into undertaking a phishing email exercise to test cyber hygiene. However, it was expected that the firewall system would prevent emails going into inboxes, and this aspect of the exercise needed to be relooked. She shared that cyber hygiene was an ongoing process and it was hard to compile guidelines that were fit for purpose as all users had different access to IT facilities, with some using personal or organisation emails. The Governance and Regulations manager concluded that cyber resilience was a developing issue and would be presented on the Business Plan in the new year.
Members felt the phishing exercise would be a great way of testing users in a safe environment and would work as a prevention measure. Members also shared that West Northamptonshire Council was currently recruiting for a Head of Cyber Security.
Members questioned how data in transit was managed and the security behind data transfers and the Governance and Regulations Manager confirmed that this question was asked to suppliers in the survey. Some suppliers had secure portals in place, and the survey would enable the Fund to have conversations with suppliers for security assurance.
Members also asked once the four main supplier risks had been analysed, if the fund would move onto those who posed a lesser security risk and the Governance and Regulations Manager confirmed this would be looked into, but felt systems such as HMRC would be harder to corrupt and would already have measures in place.
RESOLVED: That the Pension Committee noted the progress made against the cyber action plan (Appendix A)