Summary and implications
Pension schemes hold valuable personal and financial information which could make them attractive to cyber-criminals. Recent high-profile attacks have brought this to the top of the agenda. This briefing considers some of the practical steps trustees can take to protect the information they hold about their members and the data which is held by third party administrators.
Protecting information: what the law says
Trustees are classed as data controllers and as such are primarily responsible for protecting member data held by them or on their behalf. Data protection law requires data controllers to have appropriate security in place to prevent personal data being compromised. The Information Commissioner's Office has published guidance which confirms that in its view data protection law does extend to cyber security.
How to protect your information: key steps to cyber security
Have a security policy in place and make it work. This should include practical matters such as who has access to premises and equipment, responsibility and reporting lines and periodic checks to ensure systems are up to date.
Have a communications protocol in place. This should include who does (and does not) say what and when. A clear set of pre-prepared announcements can avoid a great deal of reputational damage if you are the victim of a cyber attack.
Staff. It is vital that staff understand the importance of security and communication and are properly trained.
Computer security. Cyber attacks are constantly evolving and expert technical advice should be taken periodically. Areas to be covered include the use of passwords, encryption and spyware tools, the security of old equipment on disposal and detachable media.
Scheme administrators: protecting the data
Questions all trustees should be asking their scheme administrators include:
- Do they understand cyber risks?
- Have they taken and followed expert advice on the technical aspects of IT security?
- Have they in place governance, policy and operational frameworks that conform to accepted industry practice up to an effective level within the organisation?
- Are their IT systems subject to regular monitoring and testing?
- Does someone in the organisation at board level have clear responsibility for data security?
- Do they have an incident management plan enabling them to respond quickly and effectively to a cyber attack?
- Do they have clear rules for reporting incidents to trustees and regulators?
- Are they certified under the Government's Cyber Essentials scheme?
- Do they use an acceptable cyber security standard such as the NSA standard or ISO 27001?
Cyber security is not just about having appropriate IT systems in place but also having properly trained staff and a culture of compliance. There should be a security policy in place covering acceptable and secure use of the information and up-to-date awareness programmes for staff.
Contractual agreements: protecting the trustees
The primary concern for trustees is to ensure that their members' private information is kept secure. They can seek to achieve this by careful due diligence when selecting third party administrators as outlined above.
It is also important that if there is a data breach the impact on the scheme is minimised, with remedial action (including any appropriate compensation payments) being made by the scheme administrator rather than the trustees. Contracts with administrators should be carefully drawn to ensure that the scheme and affected members are fully compensated in the event of any cyber breach.
What Nabarro can do to help
At Nabarro we have experts in both pensions and technology law, with a team specialising in data protection, cyber security and litigation-related remedies should the need arise. The services we offer include:
- drafting or reviewing service contracts with scheme administrators to ensure appropriate data protection and cyber-security provisions;
- providing informal guidance to those charged with risk management to increase awareness and advise on the regulatory consequences of security breach;
- advising on new policies and procedures for data protection and IT usage to meet current business needs and legal and regulatory requirements;
- considering insurance policies to determine whether the diverse risks associated with cyber breach are adequately covered;
- developing risk management plans to deal rapidly and effectively with a data protection or cyber-security incident; and
- mitigating the impact of a cyber breach including claims against known perpetrators, asset recovery and defending claims advanced by affected third parties or data subjects.
We will be holding seminars in the New Year to look at these issues in more depth. We will be sending out invitations shortly. If you have any questions or concerns in the meantime then please contact us.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.