Minutes:
The Committee were also notified of a separate exercise undertaken by HCC to test cyber security in the pensions administration system and along with Hampshire’s normal penetration testing, this found positive results in that there were no urgent, critical or high-level weaknesses identified for external, internal and application penetration testing. There were instances of low and medium level weaknesses which were being addressed by HCC and Civica; additionally, HCC’s internal vulnerability assessment scoring system showed none of the issues identified warranted adding to their vulnerability management register. The Committee asked whether HCC had considered the prospect of purchasing cyber insurance; it was confirmed that officers had asked HCC whether they had specific cyber insurance and it was noted that they had not taken up such a policy although as part of their annual general insurance assessment, they looked at the feasibility of acquiring cyber insurance. It was noted that, should HCC deem it necessary to acquire cyber insurance, they would need agreement from all of their pension administration partners. The Committee were also informed that independently of HCC, Hillingdon officers had looked at the cyber insurance market and noted the difficulties in obtaining cyber insurance as excesses were often close to or equivalent to the level of insurance cover. Members recognised that the current market for such insurance was not ideal and highlighted that there may be merit in contacting HCC and their other administration partners to establish whether there was an appetite for this type of insurance.
The Committee were also updated on two administration policies regarding nominated individuals: the Internal Disputes Resolution Policy (IDRP) and Death Grant Signatories. The stage 1 IDRP officer was currently James Lake, Head of Pensions, Treasury & Statutory Accounts, it was highlighted that the role required independence from the pension fund and it was therefore proposed that the role be attributed to the Head of Counter Fraud. With regard to the Death Grant Signatories, this had been updated to pertain to the four most senior officers in the Finance Directorate. It was also requested that a delegation be granted to allow for prospective post and job title changes although it was confirmed that the seniority level would be maintained.
RESOLVED: That the Pensions Committee:
1) Noted the administration report;
2) Agreed the updated Internal Disputes Resolution Policy and Death Grant signatories list;
3) Delegated authority to officers to maintain and update the Internal Disputes Resolution Policy and Death Grant signatories; and
4) Requested officers contact HCC and other administration partners regarding the prospect of exploring the merits of acquiring cyber insurance.
Supporting documents: