Pension trustees at particular cyber risk: steps to take to protect data

Trustees receive a huge amount of personal data. Their advisers and administrators process personal data all the time. The introduction of the General Data Protection Regulation from May 2018 should focus trustees’ minds on data security. They should be reviewing processes governing how data is handled; contractual terms for passing on data to others, and how they communicate data with members. Cyber security should be an integral part of the review process. The problem is not just about the data itself, the reputations of the trustees and their sponsoring employers are on the line too.

Part of the problem is that pensioner members have not grown up with technology, making them a prime target for cyber fraudsters. The difficulty is educating all members to be aware of the risks. The tactics used by scammers change constantly, and will continue to evolve as technology develops. Spotting a pension scam is likely to become more difficult as technology continues to evolve and the pensions industry become more and more dependent on it.

Often trustees use personal email addresses and access their emails on personal devices. Personal email addresses and devices are not usually as secure as business addresses and devices. Trustees should take the risk of hacks into their systems seriously. According to a government survey, viruses and malware account for half of all security breaches.

How to prepare for the inevitable

The scary truth is that trustees will never be able to protect themselves and members from all these risks and businesses everywhere are beginning to accept that cyber security breaches are inevitable. It is essential, then, to prepare for a possible breach.

There are a number of ways that you can reduce the risk and help protect the personal data your members entrust you with. It is also vital to have a response plan in place to deal with the consequences of any breach.

Trustees should:

• add cyber security to your risk register
• put in place a data management/segregation system
• design an incident response plan
• form an incident response team
• rehearse and train for responding at an attack
• conduct incident response rehearsals
• review contracts with administrators, investment managers, advisers and their supply chain
• use anti-virus software
• install a firewall
• not download suspicious files
• be wary of unfamiliar Wi-Fi networks – use secure networks
• use strong passwords in accordance with a password policy
• keep software updated
• encrypt and password protect portable media such as USB drives
• discuss with the employers what cyber-security policies they have in place and whether you can adopt any of their measures
• consider insurance for cyber attacks.

Simon Tyler and Hadassah Shulman are pensions experts at Pinsent Masons, the law firm behind Out-Law.com