Trustee boards should be assessing their risk of cyber attack and taking steps to protect member data and scheme assets, the chief executive of the Pensions Regulator has said.
Experts have been predicting an increased focus on cyber security for some time now, with warnings of major losses if a pension scheme is hit by hackers.
Pension schemes are sitting there with an awful lot of personal data, an awful lot of bank details, and actually it is a big issue. We need to make sure we deal with it before a big scandal hits
Neil Bowden, Allen & Overy
Speaking at a Society of Pension Professionals event, the regulator's chief executive Lesley Titcomb highlighted the threat posed by cyber attacks and urged schemes to be aware of the risks.
“Pension schemes are likely to be attractive targets to cyber criminals, because they hold a lot of personal employment and financial data,” she said.
“Unlawful access or attacks could be serious for a scheme and its members, and could in the end result in identity theft, loss of data or even loss of financial assets.”
Schemes supervised by the Prudential Regulation Authority likely already have a strategy for dealing with cyber security in place, Titcomb said, but added that trust-based arrangements might well need to look at tightening up their existing arrangements.
“It is trustees who are the data controllers under the data protection act, so it is the trustees who must make sure they have all the proper protocols and policies in place, and that any third parties they use also have the appropriate controls in place,” she said, adding that cyber security should be a key risk on risk registers.
Neil Bowden, partner at law firm Allen & Overy, said preventative action was needed, as pension scheme members could be exposed.
“The rest of the world has been worrying about this for some considerable time, and we as the pensions industry are coming to it slightly late in the day,” he said.
“Pension schemes are sitting there with an awful lot of personal data, an awful lot of bank details, and actually it is a big issue. We need to make sure we deal with it before a big scandal hits.”
Cyber security and the dashboard
Darren Philp, director of policy and market engagement at mastertrust the People’s Pension, said cyber security forms part of the wider debate around the governance of the pensions dashboard, but that it should not become the focus of the debate.
Could your scheme assets withstand a cyber attack?
In the event of an act of terror, pensions are likely to be the last thing on anyone's mind, but with senior experts recently predicting the "strong likelihood" of cyber attacks, what should schemes do to protect against the worst?
“My concern about the dashboard at the moment is that we’re talking about the plumbing. We’re talking about the technology and we’re getting all excited about it, but we’re not really articulating what it’s there to achieve," he said.
“It’s got to be well governed and you’ve got to have controls on it for it to actually work, and for it to work in the member’s interest."
Titcomb agreed, adding the dashboard would not complicate the issue of cyber security for trustees.
Tax, cyber crime and covenant guidance: what to look out for in 2016
The pensions industry has had to deal with changes across many fronts in the recent past. 2015 was no exception, bringing proposals for Local Government Pension Scheme pooling, the introduction of freedom and choice and the beginning of re-enrolment.
“Essentially what the dashboard is doing is facilitating the exchange of data and its presentation to the member. The key issues are the arrangements within the underlying scheme that will be contributing to the dashboard – are they suitably robust in terms of cyber security?”
She added: “Unless the fundamental underlying controls of cyber security in the schemes are addressed, the dashboard won’t make it any worse or any better.”
