Pensions risk transfer: managing cyber risk on bulk annuity transactions

The process involves the exchange of highly sensitive personal data that would hold great value to cyber criminals, as well as changes in the legal responsibilities for that data. These are risk points that both trustees and insurers need to understand and address through a combination of preventative measures, robust testing, proactive risk management, and effective incident response plans.

How does cyber risk arise in the context of bulk annuity transactions?

Operating defined benefit pension schemes has become increasingly complicated and risky for both their trustees and sponsors. This, combined with a higher long-term interest rate environment shrinking pension liabilities, has prompted many pension scheme trustees and their sponsors to explore ways in which they can offload these liabilities to insurers. In this context, pension scheme buy-in and buy-out arrangements have surged in popularity in recent years, with annual deal volumes projected to be in the region of £40-50 billion over the next 10 years at least.

Both buy-in and buy-out arrangements involve the exchange of highly sensitive personal data about pension scheme members and changes in controllership for the purposes of data protection law. Often the process will entail the sharing of that data with third parties – such as technology providers or reinsurers. There is therefore inherent cyber risk attached to completing bulk annuity transactions.

The legal and regulatory context

The introduction of the General Data Protection Regulation (GDPR) into law in 2018 spurred increased focus on data protection compliance, with it heralding a step-change in the size of penalties that can be imposed in the event of non-compliance. The GDPR’s core principles provide an overarching obligation on organisations in respect of data security, while section two of the regulation sets out further requirements around data security and personal data breach notification.

In the UK, the Information Commissioner’s Office (ICO) is the data protection authority. While it has demonstrated that it is a pragmatic enforcer of the GDPR, organisations that experience a personal data breach can expect the ICO to robustly assess and test whether they had adequate policies and procedures in place to address the risk of such an incident.

In the pensions market specifically, high-profile breaches have hit the headlines and spurred scrutiny by not just the ICO but the Pensions Regulator. The Pensions Regulator issued updated cyber principles in late 2023 that provide guidance on understanding the risk points in the pensions content, the controls that can be implemented to help reduce the risk of incidents happening, and on the measures to put in place to ensure organisations can mitigate the effect of, and report on, a breach if it happens.

How pension scheme trustees and insurers can manage cyber risk

For pension schemes and insurers involved in bulk annuity negotiations, it is important to understand how the threat landscape is evolving and how arrangements to protect insurer systems and data from being compromised will be addressed.

The evolving risk trends are clear. One increasing threat is the attempt by cyber criminals to deceive employees, pension scheme administrators or insurers through phishing emails, phone calls or other social engineering tactics. These threats call out the need for vigilance and education to help prevent unauthorised access or compromise or data. 

A further threat is the risk of employees within insurance companies or pension scheme administrators inadvertently or intentionally causing security breaches. This highlights the need for implementing appropriate access controls, monitoring user activity and promoting a culture of security awareness.

A vital component of any robust approach to being cyber resilient is the development and testing of incident response plans. A well-defined incident response plan should designate the individuals across teams – legal, HR, IT, communications – that should be involved in coordinating the organisation’s response to a cyber incident and outline the steps to be taken in the event of such an incident. The plan should be regularly tested to ensure that it works in practice.

What does this mean for bulk annuity contract negotiations?

The starting point will be robust data protection and cybersecurity clauses in the bulk annuity contract. Pension scheme trustees will need expert help from legal advisers on ensuring these clauses are appropriate.

However, in light of the regulatory context and particularly the Pensions Regulator’s cyber principles, trustees may also need to obtain some level of assurance regarding their proposed bulk annuity insurer’s cybersecurity arrangements before signing the contract and passing over the personal data of their pension scheme members. Specialist help from legal advisers may therefore be needed in relation to:

• delivering training on cybersecurity in the context of bulk annuity transactions;
• drafting cybersecurity questionnaires for assessing supplier’ cyber resilience;
• reviewing cyber provisions in bulk annuity contracts and the insurer’s cybersecurity controls and policies;
• providing advice on handling cyber incidents when they happen – including in navigating legal and regulatory obligations.

An effective approach to this will be proportionate and risk based, recognising the PRA-regulated environment in which bulk annuity insurers operate. Important to this approach will be lawyers with pensions sector experience, who can combine specialist risk transfer and cyber security/data protection legal expertise.