How exposed is your pension scheme to cyber crime? | KPMG | UK

How exposed is your pensions scheme to cyber crime?

How exposed is your pension scheme to cyber crime?

Barely a week goes by without a news story showing the increasing prevalence of data theft and cyber crime.

1000

Head of Administration Consulting, Pensions

KPMG in the UK

Contact

Also on KPMG.com

How exposed is your pension scheme to cyber crime? - padlock

I wrote an article for Professional Pensions about 18 months ago on the importance of pension scheme data and the growing need to protect the sensitive personal information held by a pension scheme.

At that time, cyber security was only just gaining the attention of the larger corporate boards and was a low priority for most pension schemes.

Fast-forward to today and barely a week goes by without a news story showing the increasing prevalence of data theft and cyber crime. Whether it’s political interference, theft of personal customer data or significant disruption to the NHS, the scale and pattern of the risk continues to grow.

It would be easy to become complacent and think that pension schemes are unlikely to be targeted, simply because there has been no known cyber attack to date. However, The Pensions Regulator (TPR) itself has recently admitted it was subject to a partially successful ransomware attack in December 2015, although it successfully blocked more than 40,000 other attempts in a three year period.

If anyone is in any doubt that pension schemes are a target for data theft and cyber crime, these statistics are a serious wake-up call.

Why should trustees and employers be concerned?

No pension scheme wants to be the one to hit the headlines due to the loss of sensitive personal data. Both trustees and employers need to take the issue seriously, even if for differing reasons.

The trustee board has primary accountability for the security of pension scheme data:

  • The trustees fulfil the role of data controller for their scheme, making them ultimately responsible for ensuring appropriate measures are in place to manage the retention and transmission of data securely
  • The very nature of a pension scheme means the key data requirements to effectively manage a scheme, include sensitive personal and financial information in significant volumes
  • Most trustees will rely on a variety of third party providers to manage their scheme. Trustees need to ensure they have confidence in the data and the cyber security measures operated by those providers. 

Although trustees bear the ultimate responsibility for data security in the scheme, this is still an area in which employers need to take a keen interest, because:

  • The sponsoring employer often participates in the sharing of employment-related data for its employees within the scheme, often through third parties; and 
  • There is potential for significant reputational risk if a pension scheme, for which the employer is sponsor, becomes associated with a high-profile loss of data or cyber attack.

Which changes are on the horizon?

The most significant change ever to data protection requirements will come about when the General Data Protection Regulation (GDPR) is enforced in the UK in May 2018. GDPR will introduce more onerous requirements on data controllers, with the threat of significant fines for breaching regulations. As part of meeting the GDPR requirements, data controllers will need to implement formal processes for managing data, have a clear inventory of data held and address new requirements around portability, erasure and member consent, for the use of personal data.

The use of technology to manage pension schemes has increased greatly in the last decade – and we expect it to continue to develop and disrupt the pensions market in the next few years. Along with the continuing drive to encourage members to utilise self-service, the potential applications of robotics and artificial intelligence technology, are already being assessed by some in the industry. Trustees need to ensure they understand the potential additional risks that will need to be managed, as well as the likely rewards of utilising new technology.

In the longer term, the potential use of blockchain technology in pension scheme operations could provide trustees and employers with a more secure environment in which to transfer personal data and undertake transactions. The applications of this technology (which uses a de-centralised approach to data storage and transaction authorisation and applies continual data integrity checks) could have a major impact on pensions administration. Implementation is unlikely for some time – but this is definitely a development to watch.

What should you be doing now?

Trustees and employers should consider how well data protection and cyber security risks are mitigated and managed in their scheme. That means:

  • You need to ensure compliance with GDPR by May 2018: the requirements are designed to ensure that data controllers have the appropriate oversight, processes and active understanding of how their data is managed
  • Challenge how well you understand who has access to sensitive scheme information, how it is stored and transmitted and what processes are in place to manage data and IT security. Ultimately, it is the trustees’ responsibility to ensure that scheme’s data is secure
  • You also need full assurance from third parties that they have the appropriate security and controls in place to manage data and cyber risk. Remember, it is not just the scheme’s administrator alone which holds sensitive personal and financial data for the scheme
  • Employers should take a keen interest and engage with trustees directly to understand how they are managing the risk to its employees’ sensitive personal data.

Connect with us

 

Request for proposal

 

Submit