Cyber Security: a Checklist of What Pension Scheme Trustees Should Know

Pension Scheme Trustees and Cyber security

Cyber security and Pension Scheme Trustees, how well versed and upto date do trustees need to be?

While they don’t need to be subject matter experts, Pension Scheme Trustees should have a solid and up to date understanding of cyber security, data protection, and the implications of artificial intelligence (AI), as these areas are increasingly influencing the security and operational efficiency of pension schemes.

Through our conversations with Pension Scheme Trustees, discussing cyber security with subject matter experts, and our own desk top research into the subjects, we have drafted this checklist of what trustees need to know about cyber security, the level of expertise they need, and how they can use this knowledge to effectively manage pension schemes.

In follow on articles, we’ll be looking at each of these points in more detail and with any pertinent resonance of changes in the fields.

pension scheme trustees cyber security; a stylised image of data with a padlock to symbolise data protection, plus Assure UK branding elements

Cyber security and Data Protection

Pension Scheme Trustee Responsibilities:

  • Protection of Sensitive Information: Trustees are responsible for ensuring that personal and financial data of members are protected against unauthorised access, theft, and loss.
  • Regulatory Compliance: Compliance with data protection laws, such as the General Data Protection Regulation (GDPR) in the EU and similar regulations globally, is mandatory to avoid legal and financial penalties.
  • Risk Management: Identifying and mitigating cyber security risks to prevent data breaches and cyber attacks.

Level of Expertise Required:

  • Basic Understanding of Cyber Threats: Knowledge of common cyber threats such as phishing, malware, ransomware, and social engineering attacks.
  • Legal Requirements: Awareness of legal standards and regulations related to data protection specific to the pension industry (TPR, ICO)
  • Best Practices in IT Security: Familiarity with best practices such as encryption, secure password policies, and multi-factor authentication.

Utilising Knowledge in Pension Management:

  • Implementing Robust Security Measures: Ensuring that all systems and processes involving members data are secure. This may involve working with IT professionals to set up firewalls, anti-virus software, and intrusion detection systems.
  • Regular Audits and Updates: Conducting regular security audits and ensuring that security systems are updated to protect against new vulnerabilities.
  • Training and Awareness: Organising regular training for all members of the pension scheme on data protection practices and how to recognise cyber threats.

Impact of Artificial Intelligence

Responsibilities:

  • Ethical Implications: Understanding the ethical implications of using AI in pension management, such as bias in automated decision-making processes.
  • Operational Efficiency: Leveraging AI to improve the efficiency of pension management, such as automating routine tasks and improving data analysis.
  • Innovation and Competitiveness: Keeping abreast of technological advancements to ensure the pension scheme remains competitive and can offer the best possible service to members.

Level of Expertise Required:

  • Foundational Knowledge of AI Technologies: Basic understanding of how AI systems work, including machine learning, natural language processing, and robotics.
  • Implications of AI on Investments: Knowledge of how AI is affecting investment markets and asset management, including algorithmic trading and automated advisory services.
  • Legal and Ethical Considerations: Awareness of the ethical considerations and potential legal issues associated with deploying AI, including data privacy concerns and the need for transparency.

Utilising Knowledge in Pension Scheme Management:

  • Implementing AI Solutions: Identifying opportunities to implement AI in the administration and management of the pension scheme, such as using AI for better forecasting of pension liabilities or automating customer service.
  • Monitoring AI Investments: Keeping an eye on investment opportunities in AI-driven companies or technologies, assessing their potential returns and risks.
  • Ethical Governance: Establishing guidelines to ensure that AI is used ethically within the pension scheme, including auditing AI systems for bias and ensuring decisions are explainable.

What todo if a cyber security incident occurs?

TPR published an article in February 2024 detailing the key steps trustees should take if a cyber security incident occurs. These are:

  • Communicate with the employer, administrator and service providers – to help understand how the scheme and members are affected. This should prioritise understanding if there is likely to be disruption to the payment of benefits, retirement processing and bereavement services.
  • Notify TPR as appropriate – trustees are legally required to report breaches of pensions law where these are likely to be of material significance, to TPR. TPR is also keen to work with industry to share good practice and insight and asks that schemes, their advisers and providers report significant incidents on a voluntary basis as soon as reasonably practicable.
  • Notify the Information Commissioner’s Office (ICO) if required – Data breaches must also be reported to the ICO within 72 hours, if the breach meets the legal threshold for reporting. As data controllers, Trustees must notify the ICO if the breach is likely to result in a risk to the rights and freedoms of individuals. Failure to notify such a breach can result in a fine of up to £8.7 million, or 2% of global turnover.
  • Restore key services – trustees should establish whether key services and interfaces with other parties can be operated safely.
  • Safeguard members’ benefits – trustees should consider whether any immediate actions are required to safeguard members’ benefits.
  • Communicate with members – trustees should communicate with members and signpost them to appropriate guidance, like the National Cyber Security Centre (NCSC) guidance for individuals on data breaches.
  • Monitor increased or unusual transfer requests – trustees should monitor for increased or unusual transfer requests taking place.
  • Contact the NCSC – if a scheme is subject to a significant cyber security incident, the trustees should contact the NCSC for support.

Pension Scheme Trustees and Cyber security – Overview Summary

In summary, pension scheme trustees need a solid understanding of cyber security, data protection, and the emerging role of AI to navigate the evolving technological landscape.

This knowledge helps ensure the security of member data, enhances operational efficiencies, and maintains compliance with regulatory standards.

Trustees should continuously update their knowledge and skills in these areas to effectively manage the associated risks and opportunities.

Other helpful articles and insights

Basics of the Pension Scheme ORA

Pension Scheme Auditor Checklist Part One: Qualifications and Accreditations 

Pension Scheme Audits – What you need to know 

ESOG: Overview & how it enhances pension scheme management

Assure UK announced as Dalriada audit panel member