When cyber security measures are not stringent enough, pension schemes lay themselves open to the following possible risks:

1.     Loss of access to data and administration systems. Hacks, malicious viruses and system failures could disable an administration system and prevent access to the data and processes which are needed to provide the correct benefits to the right members.

2.     Data can be stolen or hacked. While scheme administration systems have not yet been the target of a hack, the information available could be valuable to fraudsters. For example, personal data could be used for identity theft and that data combined with account information could give access to members’ bank accounts and other financial assets.

3.     Human error from administrators and others involved in running a scheme. For example, steps in checks used when identifying members could be missed; information could be shared with the wrong person; mobile devices and memory sticks can be lost.

The consequences of these sorts of breaches range from simply causing inconvenience through service disruption, to a potential devastating financial loss to members. Any breach may have repercussions, including potential regulatory action, fines, claims from members and reputational damage for the scheme and the employer. There may also be time and financial costs to the scheme in addressing issues, reporting to the Information Commissioner and communicating with members.

Taking a closer look at cyber security is particularly timely right now, with the General Data Protection Regulation (GDPR) coming into force on 25 May this year and pension scheme trustees busy updating their policies and processes ready to comply with the new legislation as a result. As “data controllers” under the GDPR, trustees are required to take “appropriate technical and organisational measures” in respect of personal data that they hold.

Having appropriate cyber security measures in place is an important element of data protection compliance, so it is an ideal time to consider it in more detail. The Pensions Regulator has also reminded pension schemes of the need to be aware of the issues and challenges that cyber security presents for schemes, as trustees are required to understand potential risks to their scheme and to adopt risk management measures that are appropriate and proportionate.

There are a number of practical steps for trustees to take to help manage cyber security and its risks.

1.         Identify when, where and how data is used and who is using it. 

2.         Carry out a risk assessment which should include considering how trustees, administrators and advisers could be party to a breach or security failure. In practice, where schemes have experienced data security incidents, these often stem from human error, rather than external attacks. 

3.         Assess safeguards that are already in place, and review whether further safeguards, information from providers and/or any other steps are required.

4.         Establish a cyber and data security policy that outlines the trustees’ approach to cyber security, steps that would be taken in the event of a breach (an incident response plan), and ongoing plans for reviewing and monitoring cyber and data security.

5.         Ensure that the trustees’ risk register addresses cyber and data risks.

There are also further safeguarding measures which can be put in place, including the use of passwords and encryptions and ensuring those with access to scheme data understand the importance of data security and the role they play in maintaining it. Trustees might also want to consider whether and for how long data needs to be shared or stored and, where that data is accessed electronically, checking whether users’ systems are secure. It is also important to check that providers’ contracts include terms relating to data security and, if not, addressing any gaps.