Minutes:
The Committee considered a report of the Corporate Director of Resources which updated Members on the revisions to the Local Government Pension Scheme (LGPS) Pension Fund Risk Register, following a review with the Principal Risk and Governance Officer in May 2023 (for copy see file of Minutes).
The Chair noted frustration in terms of the security breach at Capita, a third-party pensions administration provider, and noted that the updates received were very useful, especially the recent update relating to cybersecurity from the DCC ICT Officers. Councillor M Porter asked as regards cyber risk. The Head of Pensions (LGPS) noted that transfer information to Capita had been paused while the issue was resolved, with those impacted to be contact in writing and asked if they wish to continue. He noted that the Actuary, AON was undertaking a bespoke review of cybersecurity specific to Pension Funds and a free review and ‘scorecard’ were available which would help determine if there were any pensions-specific deficiencies or issues. Initial feedback from AON advisors was that the Fund was robust regards cybersecurity.
Councillor K Early noted that the information provided some reassurance, noting another large cybersecurity issue recently reporting in the press relating to outsourced payroll services for large organisations such as the BBC and British Airways. The Head of Pensions (LGPS) noted that within DCC that service sat with the Corporate Director of Resources directorate, though he understood some Local Authorities use third-party organisations.
Councillor K Early noted that the likely reason the third-party payroll organisation was targeted was due to the large number of larger companies it dealt with. The Corporate Director of Resources noted that wherever DCC outsourced any function, within contract there were references to data protection, and he explained that during the procurement process there was great emphasis placed on cybersecurity and a number of checks had to be satisfied. He noted that alongside these elements, DCC issued regular updates and training relating to cyberattacks and common methods used such as phishing e-mails.
The Independent Investment Adviser noted two observations in respect of the risk register, the first being that, in his experience in dealing with many Local Authorities, the one from Durham was very clear in the way it was set out. He added that in may be beneficial for Members if the risks were highlighted red, amber, green to give an indication of their significance. He Head of Pensions (LGPS) noted that risks were scored on such a ‘RAG’ basis in terms of net scores, but agreed that it could be highlighted within the tables used. Councillor K Early agreed that would be helpful for Members.
Resolved:
That the report provides assurance that the Pension Fund risks are being effectively managed within the Council’s risk management framework.
Supporting documents: