Sutton Council Addresses Cyber-Attack Risk to Pension Fund Data

Sutton Council is taking proactive steps to safeguard pension fund data against potential cyber-attacks, as highlighted during a recent Pension Committee meeting.

The committee convened with a significant focus on governance and risk management, including the ever-present threat of malicious cyber activity.

According to the Governance and Risk Update, one of the amber-rated risks identified is the Failure to protect the Fund's key information and data as a result of malicious cyber-attack. The report emphasized that failure to manage this risk could result in confidential member information being compromised, potentially leading to a breach of the Data Protection Act 2018. To mitigate this cyber risk, the Fund adheres to Sutton Council's IT policies, maintains an unpublished Cyber Policy, and ensures staff receive up-to-date cyber training.

The Governance and Risk Update also provided an overview of the Fund's risk register, categorizing risks under administration, funding and investments, and governance. As of the report's writing, administration risks were rated amber overall, while funding and investments and governance were rated green. The administrative risks categorized as 'amber' are:

• Risk 1 (Administration): Incomplete or inaccurate member data. This could lead to the incorrect payment of benefits, non-compliance with regulations, and member complaints. To mitigate this, officers are implementing the Fund's Data Improvement Plan through ongoing validation and employer engagement.
• Risk 20 (Administration): The impact and cost of changes to the LGPS Regulations. Officers have assessed this risk, noting that it is mostly outside the Fund's control. Despite the latest government consultation, the likelihood and consequences of any material risk to the Fund from changes to the LGPS regulations remain unchanged. Officers will continue to monitor developments within the scheme regulations, alongside the actuary and benefits consultants, and report back to the Committee on any changes. The Fund will also continue to work with its software provider to ensure compliance with any changes to the scheme regulations.
• Risk 3 (Governance): Failure to protect the Fund's key information and data as a result of malicious cyber-attack. Officers have assessed this risk and agree that the likelihood of the risk and its consequences remain unchanged based on the information currently available. Failure to manage this risk may result in confidential member information being placed at risk and a potential breach of the Data Protection Act 2018. In order to mitigate this risk, the Fund has several measures in place. Officers act in accordance with Councils IT policies and the Funds unpublished Cyber Policy and ensure all staff are up-to-date with cyber training.