Cyber Security – Importance of Information Security policies

Sometimes it seems we live in a nation of over-sharers, whether it is a (not so) humble brag about a new purchase, or a post disclosing a new home address, child’s birthday or some other personal details over a social media platform for the world to see – often seemingly without checking current privacy settings first. 

But, whilst it is one thing for an individual to breach their own privacy (by accident or design), we understandably hold to a higher standard the professionals dealing with our personal data and our pension funds.  Indeed, when it comes to pension trustees and their advisers, individuals are entrusting not only retirement savings, but also a wealth of personal data. 

Keeping data and scheme assets safe is an ongoing battle in the online world.  The Covid pandemic has escalated our reliance on online platforms for all aspects of life – be it social, banking, work and even pension trustee business. 

With that increase in online activity, fraud and cybercrime are fast establishing themselves as among the most common crimes of the 21^st century, evolving more dramatically than other crimes over recent times.  The consequences of a cyber-attack on a pension scheme could be far reaching:

• Reputational risk for both the scheme and the sponsoring employer, and potentially third-party providers too if they are at fault with vulnerable systems.
• Compromising of member data.
• Defrauding the scheme of its assets (potentially multi-millions or even billions of pounds).
• Inability to run the scheme when access to data is blocked – if data cannot be accessed, pension administration cannot function and benefits cannot be paid.
• Regulatory action and potential fines for breaching data protection legislation.

Information security policies – having a plan to combat cyber attacks

Regardless of whether they delegate, outsource or keep tasks in-house, the ultimate responsibility for running the scheme, and all compliance to protect members and assets, remains with the trustees.  As a starter for ten, therefore, when it comes to cyber security it is essential that the trustees set out their plan for protecting the scheme within an Information Security policy. 

It seems almost ironic that a piece of paper should be the building block of security against a virtual crime.  But having a plan to combat attacks is crucial – ‘fail to plan, plan to fail’.

The benefit of an Information Security policy ensures everybody who works on the scheme, be they a trustee, a sponsoring company representative or a third-party provider has a thorough understanding of what is expected of them when dealing with scheme assets and/or member data.

Points to consider including in such a policy are:

• Clearly defined and assigned roles and responsibilities.
• Ensuring that cyber risk is included and reviewed on the scheme’s risk register.
• Setting out the controls in place to mitigate cyber risk, ensuring that systems are regularly updated and patched as required.
• Putting controls in place around processes and people.
• Drafting and updating policies relating to data protection, home working and any other areas which could compromise data security.
• Setting up a cyber incident response plan and ensuring third-party providers have plans in place.

Not all cyber criminals are equal

It is worth remembering that not all cyber criminals have the same intentions and, whilst some cyber criminals have clear aims to defraud individuals, for others hacking systems and causing chaos is the aim of their game.

It follows too, that not all aspects of a scheme’s policy need be highly intricate or complicated for trustees and advisers to follow.  Simple measures like providing member-nominated trustees with company email addresses for trustee business, and setting up document sharing spaces via secure online portals, are both effective and relatively easy to implement. 

In this era of reliance on online systems, those involved in managing pension schemes should be doing everything they can to keep their property secure.  Implementing an information security policy should be a first step.