Those of us with short memories may have thought the Pension Regulator’s recent warnings about cyber security were a form of divine foresight given the very public data breach suffered by Tesco Bank shortly after it was released. While the timing of this most recent cyber attack has reinforced the Regulator’s warnings, it has more to do with hindsight rather than foresight and the mounting inevitability of a similar attack hitting the pensions industry.
Even those with only a passing interest in data protection issues will have noted the rise of cyber crime through the headlines. Sadly, this is being borne out through the statistics, which are all pointing to the same conclusion: things are bad – and getting worse. One pretty reliable measure is the number of security breaches reported to the Information Commissioner's Office (ICO), which rose from 1089 in 2015 to 2048 this year; showing an 88 per cent increase, with the primary reasons external attacks and data being disclosed in error. This knowledge was obtained from the ICO by Huntsman Security through a freedom of information request.
So the Regulator is absolutely right to be reminding trustees that there is an active threat and that they should be alive to it. But what questions should they be asking of their administrator to understand the measures in place to prevent and detect an attack? There’s a lot to consider, and trustees often put off asking questions because of the risk of being bamboozled with a flood of geeky technical IT responses. They shouldn’t be, the starting blocks are really quite simple. They need to be assured that data is being stored and handled with care and that their administrator has experts in place to support, test and report on the measures in place.
If you’re a trustee or a pensions manager, you can start the process by following these six (relatively) simple steps:
Find out where your data is
Trustees need to start by finding out where their administrator is storing their data – and that means all of it. They need to know the actual location of both physical and digital data and how it moves between different locations. This has become increasingly important with the widespread use of cloud-based administration systems and administrators putting offshoring arrangements in place.
Find out who has access to your data
It is highly unlikely that only your administrator has access to your data. To deliver a fully comprehensive service your administrator will inevitably need to share your data with system hosting providers, printers and specialist tracing agencies. Make sure you know who these agents are and that the measures they have in place to safeguard data are at least as good as your administrator.
Find out what happens to your data when it is processed
This can often be the part where it all gets too techy, so try to keep things simple. Fundamentally, you need to know what technology is being used to encrypt and back up your data.
Find out if any attacks or data losses have been experienced
If your administrator is not proactively reporting on this, you need to formally ask if they have suffered any attacks or losses that resulted in a report to the ICO. Most administrators only tell the individual clients affected by any potential or actual data breach, but having visibility over these events can better inform you about the risks to your own scheme.
Get a copy of test results
Your administrator should be testing the robustness of the systems and processes that have put in place to protect your data. Tests should be performed at least annually and you should get a copy of the results to see if any gaps have been identified. While much focus is given to external threats, a lot of cyber crime is committed by people within a business, so your administrator should also be testing internal processes and procedures to see how well they perform – even better if they pay for a third party specialist to independently test some or all of this.
Get specialist advice if you need support
Just as you would in any other area of pension fund management, turn to the experts for additional advice if you’re not totally satisfied with the answers you’re getting, or if you simply don’t understand them. There are plenty of specialist IT security consultancies who can help you review your administrator’s systems. Alternatively, you can turn to a specialist administration consultant if you need expert comment on any potential procedural failings.
The amount of data being harvested, processed and stored by administrators has increased massively over the last decade. What was once paper is now digital, what was once locked away on private networks is increasingly being published to the web. The frequency and sophistication of threats is growing, as is the appetite for trustees to bring more content online to their memberships. Don’t let your pension scheme be the next headline, take the time now to properly examine how exposed you and your members are to this mounting threat.
If you're worried about your scheme's data and would like to find out more, please email firstname.lastname@example.org