Skip to content

Cyber risk: practical actions to improve data security

Pension schemes can be an attractive target for fraudsters and criminals. Trustees are expected to build cyber resilience, and protect personal data and scheme assets – the Pensions Regulator has issued guidance for trustees. Keeping personal data secure is also part of complying with data protection requirements. The following checklist sets out some simple actions that can be taken to improve data security – you can read about cybersecurity issues in more detail here.

Data security by design

Fail to plan, plan to fail: having the right policies and processes in place (in relation to third party administrators as well as the trustees) will help to prevent cyber breaches. It is also an important part of complying with data protection obligations.

  • Is cyber risk included on your risk register?
  • Do you have written policies on data security, including the use of passwords and devices, encryption, as well as training? Do you have processes in place to monitor compliance, and to regularly review these policies?
  • Have you put measures in place to ensure suppliers have adequate security controls and reporting protocols?
  • Do you have an incident response plan?
  • Are your IT systems and processes kept up-to-date (eg applying updates and patches promptly)? Are these monitored to ensure that the level of security provided is sufficient?

Trustee papers

Trustee papers may contain a range of member information, including sensitive personal data (eg in relation to ill-health applications). As part of ‘data security by design’, trustees can consider whether risks could be easily reduced, for example:

  • The simplest way to improve data security is to minimise transmission: do trustees really need identifying member details, or could information be anonymised to reduce the potential consequences of any data loss?
  • Trustee papers will be more secure if kept on a trustee portal with password-only access than if they are circulated by email or in hard copy. Trustees should comply with a policy setting out minimum requirements for password security.
  • Pensioner trustees, in particular, may rely on insecure home email addresses, which can easily be hacked. Professional advice should be sought on an appropriate system for secure communications.

Trustee protection

The best protection is training and proper processes, to make sure that everyone involved is vigilant about preventing cyber breaches, but in case the worst happens:

  • Your contract with your administrators (or other processors) should include a clear allocation of cybersecurity risks and governance responsibilities, from minimum requirements, monitoring and reporting, to incident management, liability and compensation in the event of a breach. Trustees should ensure they understand these provisions, including how they would be informed of a breach.
  • Trustees should ensure that they understand their own reporting obligations (for example, to the Pensions Regulator, or the Information Commissioner).
  • Trustees should have processes in place to minimise the disruption to operations in the event of a cyber incident – these can be set out in an incident response plan.
  • Check whether your liability insurance covers cybersecurity-related acts or omissions and, if so, whether this also covers your delegates. Do you need a specific policy to cover cyber risk, and do your administrators and other providers carry insurance that covers these risks?
  • Consider cyber response insurance that will help you in the immediate aftermath of a breach by identifying any weaknesses and making your data secure again. If you don’t want to use insurance, do you have contact details of a company or expert that can help if the worst happens?

Member access

Encourage members to take the security of their pension information as seriously as that of bank accounts (eg using strong passwords that are not recorded with log-in details).

  • If members have online access to personal accounts, are appropriate security measures in place (eg minimum password requirements and other identity checks)?
  • Cyber-attacks often work by mimicry (‘spoofing’) – if an email looks genuine, the recipient may click on a malicious link within it, introducing malware into the system. Do members know how to verify whether communications that apparently come from the trustees are genuine? Use newsletters to encourage the use of strong passwords for scheme website/member accounts and to provide instructions to help members protect themselves from spoofing. Encourage a pro-reporting culture to help you find out quickly about any attempts to infiltrate scheme systems.

Data retention and disposal

Some formal records and books have minimum legal retention periods attached, but trustee records may need to be kept for longer periods in case of future queries or complaints about member benefits – trustees will need to ensure that retention practices are consistent with their data protection obligations.

  • Record-keeping protocols should ensure that adequate information is kept centrally and securely on behalf of the scheme.
  • Establish a policy for data retention and secure disposal in relation to trustees’ personal file copies which include member data (for example, old emails or hard copies) and regularly ask trustees to confirm compliance.
  • Obtain assurances from retiring trustees that all personal data obtained in connection with their trusteeship has been deleted or securely destroyed.