Cyber-security: how safe is your pension scheme?

Recent months have seen highly publicised ransomware demands against corporate and public sector organisations in the UK and across the world.

Even The Pensions Regulator (TPR) has admitted to ransomware attacks on their systems. To date, we are not aware of pension schemes revealing any data loss from such attacks. However, these events have highlighted how vulnerable organisations are to criminals determined to exploit computer systems and networks to obtain information.

Notwithstanding scares, the reality is that trustees have always been responsible for ensuring the safety and security of a scheme’s data. Over the last 20 years, the prevalence of computer systems and the seeming ease with which data can be obtained, stored and manipulated has meant that information gathered legitimately under one regime now has to comply with more stringent legislation. The term ‘cyber-security’ reflects the need for schemes to consider the technology they currently use: computers, data centres, intranets and the internet - and the threat from those who would criminally use the personal data held.

On top of this has come the planned implementation of the General Data Protection Regulation (GDPR), which extends the requirements of the UK Data Protection Act 1998 (DPA). Pension schemes have had to comply with the DPA for several years, but the GDPR introduces accountability, removes the ability to apply a standard charge for information requests, and ensures that, where trustees or their service providers are relying on outsourcing, that this outsourcing is subject to contractual monitoring and confirmation provisions.

TPR has made it clear that they expect every scheme to consider and action cyber-security measures. To ensure these measures undergo regular reviews, they should be included within the scheme risk register.

DISCLAIMER
By necessity, this briefing can only provide a short overview and it is essential to seek professional advice before applying the contents of this article. This briefing does not constitute advice nor a recommendation relating to the acquisition or disposal of investments. No responsibility can be taken for any loss arising from action taken or refrained from on the basis of this publication. Details correct at time of writing.