Trustees must be extra vigilant in their assessment of online platforms and review data-handling processes to protect members from the growing threat of cyber crime, experts have said.
Data breaches of the online platforms of high street telecoms companies TalkTalk and Vodafone recently have reinforced the need for robust cyber security frameworks.
High-quality telecoms data sets are a lucrative target for hackers, but pension scheme data can provide cyber criminals with a highly detailed picture of members’ personal, financial and employment records to use and abuse in subsequent attempts to defraud individuals.
It's not just about addressing the security of their website on the internet. They must also consider the threat from employees and third-party providers
Sarah Stephens, JLT Specialty
Data controllers
High-profile hacking incidents are forcing global authorities to consider tougher regulations. Negotiators from the European Parliament, member states and the European Commission are working on a deal to create new data protection rules by December.
Under the 1998 Data Protection Act, pension scheme trustees are defined as 'data controllers' and are responsible for ensuring all data-handling is compliant.
That responsibility extends across contracts with all third-party data processors including administrators, providers and sponsoring employers.
Failure to effectively pass down these obligations through third-party contracts could leave trustees vulnerable to the serious consequences of a data breach.
Monica Cope, managing director at scheme data specialist Veratta, said the pensions industry, historically heavily paper-based, has undergone a seismic shift to online, and trustees must be aware of the frameworks and accreditations that providers should have in place to guarantee a best-practice approach to cyber security.
“A really good starting point for trustees is to understand the key risks, look at external providers and make sure they do adequate due diligence on the providers they’re using and the systems they have in place hosting their pension scheme information,” she said.
Cope said government-backed Cyber Essentials and Cyber Essentials Plus accreditation provide baseline protections and penetration testing to identify platform vulnerabilities.
However, she added that trustees should check whether providers are accredited with ISO27001, the internationally recognised best-practice standard for information security.
“There are lots [of providers] that do but I’m sure there are lots that don’t,” she said.
“If you do you normally have the badge posted on the website – it’s an easy check for trustees to do and a very straightforward question to ask.”
Cope added that a relatively new accreditation, CSA Star, has been introduced for cloud-based software – something many providers will have already attained or be working towards.
Broad risk assessment
Sarah Stephens, head of cyber, technology and media errors and omissions at insurance broker and risk consultant JLT Specialty, said trustees and pension providers need to consider cyber risks across all systems.
“It’s not just about addressing the security of their website on the internet. They must also consider the threat from employees and third-party providers, as 32 per cent of cyber insurance claims last year involved insiders, from a malicious and accidental perspective,” she said.
Stephens said rethinking the access controls of employees would be a “concrete step” towards addressing cyber risk.
Securing dashboard data
Data security will be crucial to the success of the pensions dashboard, an industry-wide initiative aiming to collate individuals’ collective pension savings onto a one-stop platform.
In February, the Department for Work and Pensions outlined its plans for automatic transfers under pot-follows-member.
The DWP approved a network model that required all participants to meet a defined set of open standards around how they hold, send and deal with data, which would reduce the risk of a single point of failure.
Pensions minister Ros Altmann shelved plans for pot-follows-member last month, but digital services body Origo plans to develop a ‘pension register service’ over the next two years, which will host individuals’ data on state pension and lifetime savings compiled from government agencies, pension providers and administrators.
Ben Cocks, director of Altus Business Systems, said competition and collaboration in open standards frameworks improves data security due to the sheer number of stakeholders assessing and tackling system “frailties” on an ongoing basis.
However, Cocks said it was yet to be confirmed whether the pensions dashboard framework would be built on an open standards model.
“Collaborative initiatives on open standards tend to be more robust,” he said. “Competition keeps the open standards framework safer – rather than having a big monopoly that has no commercial drive to get it right.”
