The Pensions Regulator publishes its Cyber Security Principles for Pension Schemes (‘the Principles’)
  • SHARE

As is the case with many individuals and entities operating in financial services, pension trustees are facing an increasingly challenging regulatory and legal environment. Indeed we are aware of three recent developments (discussed below) that could lead to trustees facing increased litigation and regulatory action. In such circumstances financial lines insurance can be an essential line of defence.

The Pensions Regulator publishes its Cyber Security Principles for Pension Schemes (‘the Principles’)

The Principles (published in April 2018) clarify that trustees are accountable for the security of scheme information and assets and set out various expected standards in respect of cyber risk, including the expectation that trustees and scheme managers should:

  • Have access to the required skills and expertise to understand and manage the cyber risk in their schemes
  • Ensure sufficient understanding of the cyber risk: the scheme’s key functions, systems and assets, its ‘cyber footprint’, vulnerabilities and impact.
  • Ensure the cyber risk is on the scheme’s risk register and regularly reviewed
  • Ensure sufficient controls are in place to minimise the risk of cyber incident, around systems, processes and people.
  • Ensure that all third party suppliers have put sufficient controls in place
  • Put an incident response plan in place to deal with incidents and enable the scheme to swiftly and safely resume operations
  • Regularly test and review controls, processes and response plans and be kept regularly updated on cyber risks and seek appropriate information and guidance on threats.

The document then goes onto to describe twenty core principles under four categories: Governance; Controls; Incident Response; and Dealing with an Evolving Risk.

Given that the Principles set out various standards, it seems inevitable that if trustees fall below those standards they will be vulnerable to claims by members of their pension schemes and also regulatory action by the Pensions Regulator. If that is the case, Pension Trustees Liability insurance (‘PTL’) can assist. PTL policies are primarily designed to provide coverage for claims (including regulatory actions) against trustees for acts, errors or omissions committed in their capacity as trustees. In addition, coverage is also provided for the scheme itself (also described as ‘the plan’), the sponsoring employer company and any corporate trustee companies in relation to the applicable pension scheme.

Beyond PTL insurance, dedicated Cyber insurance could also assist. Cyber policies provide coverage for several risk areas, including claims in connection with data breaches and costs incurred to notify those affected by data breaches. Pension schemes can purchase Cyber insurance or alternatively they can be included under their sponsoring employer company’s Cyber policy. Cyber insurance is primarily a corporate insurance and it will therefore provide coverage for the sponsoring employer company, the scheme and any corporate trustee companies.

Enhanced Powers for the Pensions Regulator?

Recent high-profile corporate collapses in the UK, such as BHS and Carillion, have prompted the UK government to seek to strengthen the powers of the Pensions Regulator (‘TPR’). Indeed the Department for Work and Pensions has recently proposed that TPR should have the power to levy a new civil penalty of up to £1m in order to deter behaviours which have resulted in actual harm to a pension scheme or have potential to do so if left unchallenged. The UK government has also proposed introducing new criminal offences to punish certain transgressions, such as ‘wilful or grossly reckless behaviour’ in relation to a defined benefit scheme or failure to comply with the notifiable events framework. All those who have responsibility to the pension scheme, including directors, sponsoring employer companies and in some circumstances trustees, would be targets under the new penalties regime, according to the Department for Work and Pensions.

Fines are very difficult to insure. However, PTL insurance could be of assistance if trustees and other insured parties are facing TPR fines. That is because a broad PTL policy will include coverage for civil TPR fines and penalties. However, coverage will only apply where the fine is civil in nature and is insurable by law (i.e. insuring the fine is not prohibited by a regulator or a matter of public policy). Beyond coverage for fines, PTL insurance can provide coverage for costs and expenses incurred in responding to investigations by regulators that may result in fines.

Increasing Focus on Trustees’ Investment Duties

The UK Environmental Audit Committee has recently issued a report on ‘embedding sustainability in financial decision making*’, which made a number of recommendations to encourage pension scheme trustees to take long-term issues such as climate change into account when considering investment. In addition, we understand that the UK Government is proposing legislative changes which will require trustees to update the statement of investment principles so that they involve greater engagement on issues such as social and environmental impact. It seems that these developments will lead to greater scrutiny of pension scheme investments by, amongst others, pension scheme members. We presume that if members are dissatisfied with the social or environmental impact of investments, then they may consider taking legal action against the scheme’s trustees. In such circumstances PTL insurance could respond.

In addition to PTL insurance, there is a need for pension schemes to consider a full range of insurance coverages including Cyber, Crime and, in some circumstances, Civil Liability.

Gallagher has extensive experience of advising trustees, pension schemes and related entities on suitable insurance solutions.

What Makes Us Different
  • We believe there’s no substitute for reliability. Financial Institutions shouldn’t have to compromise between great service and a great renewal result. Gallagher combines the strong balance sheet and market influence of one of the world’s largest brokers with a dedicated service mentality.
  • With over 600 clients spread across 50 countries and territories, our Financial Institutions team has capabilities in a range of niche industry subsectors. Our broad specialist knowledge means we can look at insurance differently, offering clients year-round insight and a service that is reassuringly predictable, so they can leave the risks to us.