Issue - meetings

The Board is asked to consider the Cyber Security Report from the 29 April 2022 Pensions Committee by the Director of Finance and Support Services.

11.1     The Board members in attendance received a report by the Director of Finance and Support Services that had been considered at the 29 April Pensions Committee meeting (copy appended to the signed minutes).

11.2     Vickie Hampshire introduced the report and explained that the report had gone to the Pensions Committee to explain the red risk status in the risk register.  The fund held a lot of personal data and so it was important to recognise all risks.  It was reflected on that the risk would never be removed due to the changing nature and environment of cyber crime.

11.3     The Board members in attendance made comments including those that follow.

·       Sought clarity over the work plan arrangements.  – Vickie Hampshire confirmed that a work plan was being delivered for the year.  Andrew Lowe reported the exercises that Hampshire had undertaken to review cyber security such as penetration testing of systems.  Hampshire were committed to annual checks and their work plan had been signed off by Hampshire’s IT Team.  The Pension Regulator requirements had been adhered to, and staff undertook phishing training to help them recognise scams.

·       Noted the difficulties that could occur when scheme members have been targeted and how to explain to them that they may have been subject to a scam.

11.4     Resolved – That the Board members in attendance note the update.

Report by the Director of Finance and Support Services.

The Committee is asked to recommend that officers continue to monitor cyber security and risk; and that Pension Committee Members and Pension Advisory Board members undertake to complete the LOLA training and the tPR toolkit training.

8.1        The Committee considered a report by the Director of Finance and Support Services (copy appended to the signed minutes).  Katharine Eberhart introduced the report and highlighted the red risk on the Pension Fund Risk Register. The report covered arrangements with a number of bodies including West Sussex and Hampshire County Councils, and Link.

8.2        The Committee made comments including those that follow.

a.     Questioned whether there had been any material incidents to the Local Authority systems which would present a risk to the Pension Fund.  - Katharine Eberhart, Director of Finance and Support Services, explained that if the Local Authority systems went down then that would take the Pension Fund systems down too.

b.     Noted the training available for Pension Committee and Pension Advisory Board members as set out at paragraph 6 and how this would be helpful in understanding where the cyber security weaknesses were.

c.    Noted from the report that officers monitored cyber security and risk and questioned what action was taken as a result of that.  – Katharine Eberhart explained, as set out in the report, that the County Council was fully compliant with government guidance on cybersecurity in its IT systems which included undertaking annual ‘white knight’ activities as part of a very thorough process which was duly reported through the Regulation, Audit and Accounts Committee.  Internal audit also worked through the whole IT suite on a two-year cycle to give added assurance on its cybersecurity.  Andrew Lowe, highlighted the Cyber Security Statement as set out in the report for Hampshire County Council.  Andrew Lowe also explained that over the past year Hampshire County Council had undertaken a full private sector penetration test exercise on its external and internal infrastructure which had reported back that its risk was medium/low for a successful cyberattack.

8.3        Resolved – that

(1)         Officers continue to monitor cyber security and risk

(2)         Pension Committee Members and Pension Advisory Board members undertake to complete the LGPS Online Learning Academy (LOLA) training and the tPR toolkit training, as identified in paragraph 6.1.