With 25 May just around the corner, all companies and pension schemes need to ensure they comply with the General Data Protection Regulation (GDPR) - for further information see our recent GDPR insight. In this insight, we look at the importance of cyber security and the responsibility of trustees and scheme managers to follow best practice. This includes ensuring the appropriate measures are in place to protect against any potential cyber attack.
To me, the phrase ‘cyber attack’ sounds really futuristic - something that will happen when we all fly to work or better still, teleport. In reality it’s 2018 and a ‘cyber attack’ or ‘cyber breach’ is a constant threat and pension schemes are a major target. This is understandable as they hold a large amount of personal data and assets – the perfect prey for cyber criminals.
We have heard the terrible stories of pension scheme members who have lost some or all of their savings having fallen victim to scammers. Scammers know members can access their savings in new ways and try to persuade them to transfer money with promises of upfront cash and receiving their pension before age 55. It’s therefore increasingly important that members personal data is kept safe.
You may remember the global attack that paralysed the NHS last year. A ransomware virus locked down computers and demanded payment for the systems to be restored. This was a huge wake up call for many companies and pension schemes. There is now increased responsibility on trustees and scheme managers as ultimately they are accountable for the security of scheme information and assets. Regular training is essential as the cyber risks will continue to change and adapt over time.
The Pensions Regulator’s (TPR) ‘Guidance for trustees – Cyber security principles for pension schemes’ sets out good practice for pension schemes and the steps needed to build cyber resilience. The guide also includes a ‘Cyber risk assessment cycle’:
1. Access and understand the risk
Trustees and scheme managers need to have a full understanding of the cyber risk faced by their schemes. They need to ensure they have the right knowledge and skills in order to prepare for and act on a potential attack.
2. Put controls in place
Have the right procedures and controls been put in place to prevent the risk of a cyber attack or incident? Is there a plan in place to deal with an incident and is this also being followed by any third parties or suppliers? Most importantly do the scheme’s processes and procedures fully agree with GDPR?
3. Monitor and report
Cyber criminals are constantly adapting and finding new ways to breach data security. Trustees and scheme managers need to continue to review and adapt their procedures to keep up to date with the latest guidance on threats and how to monitor and report incidents.
The key message TPR is promoting is the need for vigilance and planning. To read TPR’s full guidance, click here.
We live in a world that is always changing and adapting and unfortunately not everyone is taking advantage of the changes for honest reasons. The good news is that there is help and guidance available. It is up to the trustees and scheme managers to make sure that this guidance is followed and that the necessary training is given if required.
The future is now and we have to learn and adapt to everything that it has to offer – both the good and bad.