The speaker at The Society of Pension Professionals Annual Conference raised the topic of cyber security and the importance of trustees understanding their responsibilities around the issue of cyber security. This is certainly a topic that will be of growing importance over the coming years.
Security experts have cautioned that because pension schemes hold a considerable amount of personal and financial data they are particularly attractive to cyber criminals. In fact, some colleagues thought it was only a matter of time before a pension scheme suffers the same fate of so many other organisations who have had to deal with these types of data security issues.
The pension industry has been quite slow to consider this issue compared to other financial services and some trustees wrongly assume cyber security is the responsibility of others – such as scheme administrators. However, it is trustees who are responsible for data control and so it is vital they ensure the relevant protocols and policies are in place. Cyber security is rising up the agenda for most schemes, and rightly so. It really should be up there along with all your key priorities.
Plans and risk management in relation to cyber security need to be flexible and proportionate. Before long, schemes may be in the same position as large corporates in that the question is not – has the scheme been attacked or has its security been breached – but rather, how did the systems respond to attacks which may be inevitable?
As a minimum, trustees should rigorously question their suppliers and require regular tests to be in place which are consistently reviewed. There should also be a communication procedure to outline what would happen if there was a breach.
Trustees must assess their scheme’s vulnerability to attack and take the necessary steps to protect both member data and scheme assets. Experts say cyber criminals could sit unnoticed for months, if not years, just waiting for the perfect time to hold trustees to ransom. If that were the case, the financial losses to a scheme could be phenomenal.
Of course schemes are not alone in facing this threat and should benefit from the learnings of other sectors and indeed other schemes. After the NHS ransomware attack, the National Cyber Security Centre published a guide on Ransomware which provides some useful advice and is a good starting point. You can download it here.