Out-Law News 2 min. read
21 Sep 2016, 5:17 pm
Speaking at an industry event, Lesley Titcomb said that trust-based schemes in particular had been slow to address cyber security issues, particularly in the context of third-party administrators. Contract-based schemes, which are regulated by the Financial Conduct Authority (FCA), were more likely to have suitable risk management arrangements in place, she said.
In comments reported by Pensions Expert (registration required), Titcomb pointed out that scheme trustees rather than any third party administrators had the responsibility of 'data controllers' under the 1998 Data Protection Act.
"It is trustees who are the data controllers under the Data Protection Act, so it is the trustees who must make sure they have all the proper protocols and policies in place, and that any third parties they use also have the appropriate controls in place," she said.
"Unlawful access or attacks could be serious for a scheme and its members, and could in the end result in identify theft, loss of data or even loss of financial assets," she said.
Pension disputes expert Ben Fairhead of Pinsent Masons, the law firm behind Out-Law.com, said that cyber security should be a "big concern" for trustees and administrators, given the nature of the data held by them for the purposes of administering the pension scheme.
"Scope for abuse of administration systems and a new form of pension fraud through cybercrime needs to be taken seriously," he said. "It has the propensity somewhat silently to creep up on us as the next big pensions scandal if it isn't, so it is welcome that the Pensions Regulator is grabbing some attention in raising this."
"There will be plenty of trustees who are alive to this risk already, and the onus is going to be first and foremost on them to ensure appropriate protection is in place. However, it will be critical that those behind the curve check internal policies, as well as contractual arrangements with third parties handling data; and make sure they do everything they can to guard against this risk - and ultimately the risk of comeback and litigation if it all goes wrong," he said.
Pensions expert Carolyn Saunders of Pinsent Masons also stressed the need for trustees to develop plans for responding to a cyber attack should the worst happen.
"The terrifying truth is that trustees can never be sure that their scheme won't fall victim to a cyber attack - even the Pentagon can't achieve that," she said. "So, it is vital that trustees plan for responding to a cyber attack - and that plan needs to be detailed, practical and have the buy-in of all of those involved in running the pension scheme."
"Trustees should also review their cyber security more widely and consider all aspects of running the pension scheme – from the use of personal email addresses by trustees, to communicating with members about the risks," she said.