Barely a week goes by without a news story showing the increasing prevalence of data theft and cyber crime.
I wrote an article for Professional Pensions about 18 months ago on the importance of pension scheme data and the growing need to protect the sensitive personal information held by a pension scheme.
At that time, cyber security was only just gaining the attention of the larger corporate boards and was a low priority for most pension schemes.
Fast-forward to today and barely a week goes by without a news story showing the increasing prevalence of data theft and cyber crime. Whether it’s political interference, theft of personal customer data or significant disruption to the NHS, the scale and pattern of the risk continues to grow.
It would be easy to become complacent and think that pension schemes are unlikely to be targeted, simply because there has been no known cyber attack to date. However, The Pensions Regulator (TPR) itself has recently admitted it was subject to a partially successful ransomware attack in December 2015, although it successfully blocked more than 40,000 other attempts in a three year period.
If anyone is in any doubt that pension schemes are a target for data theft and cyber crime, these statistics are a serious wake-up call.
The trustee board has primary accountability for the security of pension scheme data:
Although trustees bear the ultimate responsibility for data security in the scheme, this is still an area in which employers need to take a keen interest, because:
The most significant change ever to data protection requirements will come about when the General Data Protection Regulation (GDPR) is enforced in the UK in May 2018. GDPR will introduce more onerous requirements on data controllers, with the threat of significant fines for breaching regulations. As part of meeting the GDPR requirements, data controllers will need to implement formal processes for managing data, have a clear inventory of data held and address new requirements around portability, erasure and member consent, for the use of personal data.
The use of technology to manage pension schemes has increased greatly in the last decade – and we expect it to continue to develop and disrupt the pensions market in the next few years. Along with the continuing drive to encourage members to utilise self-service, the potential applications of robotics and artificial intelligence technology, are already being assessed by some in the industry. Trustees need to ensure they understand the potential additional risks that will need to be managed, as well as the likely rewards of utilising new technology.
In the longer term, the potential use of blockchain technology in pension scheme operations could provide trustees and employers with a more secure environment in which to transfer personal data and undertake transactions. The applications of this technology (which uses a de-centralised approach to data storage and transaction authorisation and applies continual data integrity checks) could have a major impact on pensions administration. Implementation is unlikely for some time – but this is definitely a development to watch.