Pension Funds Insider

Pension Funds Insider brings the latest pensions news and industry insights; from investment and governance updates to new mandate appointments and pensions regulatory information.

Latest news DC and Auto Enrolment Governance Investment Legal and Regulatory Mandates News and Research Opinions Risk Management Trusteeship

Cybersecurity is not just an IT Problem

Friday, June 30, 2017

Image for Cybersecurity is not just an IT Problem

Daniel Taylor urges the pension industry to take cyber security seriously with rigorous training and testing.

This season's hot administration topic is 'cybersecurity'.

Recent headlines, as well as the dawning realisation that pension schemes are sitting on massive stores of data, has finally woken everybody up to this very real and credible threat.

Pension administrators know a lot more about you than your neighbours, your insurer, your bank and maybe even your doctor.

We sit on information about your employment, earnings, relationships, bank accounts and sometimes even your health.

What was once paper and manual is now digital. What was once calculated, checked and validated by trading letters is now done through the exchange of electronic data.

Today, employers, administrators, actuaries, members and other specialist service providers are continually processing and transferring personal data.

What makes this threat more acute for administrators is that the volume of data we are amassing has grown exponentially over recent years.

The universal adoption of electronic document management, workflow, and, to a lesser degree, digital communications means that it's not just a core set of factual employment and benefit data we record electronically – it's every single exchange, letter, comment and email ? all stored, indexed and linked to a person's record.

As the volume of data grows exponentially, so do the opportunities to use it.

But, if preventing cybercrime is on your 2017 to-do list, then don't be fooled into thinking it's just an IT issue that can be resolved by some clever computer wizardry – it can't. Preventing cybercrime is not just an IT issue.

If you want to prevent your house being burgled, you may put a sturdy lock on your front door. But, if you invite the burglar in, leave the door open or give a thief a job fixing a shelf inside your home, the lock is a worthless piece of decoration.

The exact same principle applies to preventing cybercrimes. As with all crime prevention, it requires prevention policies, training and ongoing management.

According to IBM's Cyber Security Intelligence Index, 55 per cent of cyber attacks are committed by 'insiders'. Caused by either malicious insiders or inadvertent actors (people who either inadvertently give attackers access to data or fail to follow cybersecurity policies), most cybercrime will be instigated or facilitated by trusted people who are already known to you.

It's now widely thought that the recent highly-publicised WannaCry attack that brought swathes of the NHS to a standstill could have been prevented had policies on keeping operating systems up-to-date been followed properly.

The technology existed to stop this attack, but it was a failure to follow policy that left the door wide open.

So how should anyone who wants to engage with cybersecurity issues be approaching this problem? We believe a five-step approach is needed:

1. Add cyber security to the risk register. In a very good analysis published recently by RSM (RSM Pensions Fraud: sleepwalking into a crisis), it is revealed that around a quarter of trustees simply don't recognise they are responsible for fraud detection and prevention.

More worryingly, they go on to point out that nearly a third of internal controls don't cover cybercrime. As the adage goes, what gets measured gets managed – make sure cybercrime is a visible risk that is assessed and discussed.

2. Appoint a trustee responsible for management and monitoring of the risk. Preventing cybercrime involves looking at processes, training and systems. It's virtually impossible to do this via a committee so appoint one person who can spend time understanding and reviewing the risks and mitigation strategies.

3. Check that the internal controls of the trustee board and its advisers cover cybersecurity risks.

4. Ensure that internal controls are being regularly checked and, ideally, audited externally. There are several different assurance frameworks administrators use to document and test their controls – AAF 01/06 tends to be the most widely used and respected.

Whichever framework your administrator uses, make sure the necessary controls are in place and ensure they are getting regularly audited by external consultants.

5. Test, test and test again. Vulnerability and penetration tests are used to identify and exploit vulnerabilities to determine what information is actually at risk. They are an essential part of establishing whether controls and systems actually work.

Make sure your advisers are performing these and ask for copies of the results. Because of the speed with which threats and risks change in this area, it's unlikely any test will give 100 per cent coverage but the testing will demonstrate that your provider is alive to these threats and is actively working to protect their infrastructure.

Written by Daniel Taylor,Client Director,Trafalgar House.