TPR has stated that trustees and managers must take steps to protect their members and assets – and this includes protecting them against cyber risk. Cyber risk can include the risk of financial loss, disruption or damage to a scheme or its members as a result of the failure of its information technology systems and processes.

Working life has changed dramatically since early 2020, in that the majority of office workers have been forced into a new way of working by the pandemic. Working from home has become the ‘new normal’, a phrase that we’ve become used to referring to. And, with most companies adapting well, the new normal is likely here to stay, at least to some extent.

Some employers are embracing this way of working but the flexibility brings with it some additional challenges to consider. Since the start of lockdown, the number of cyber attacks has increased. The UK Government’s Cyber Security Breaches Survey 2021 reported that 39% of businesses and 26% of charities have had cyber security breaches or attacks, and that this is reported more frequently among medium businesses (65%), large businesses (64%) and high-income charities (51%). And, the most common attacks identified by the survey are phishing attacks, followed by impersonation.

Data security is no longer confined to an office, and trustees will need to rely on the IT systems of their providers (and the employees of those providers), as well as their own.

Additional risks include but are not limited to:

• Printing of personal data, or downloading to a memory stick
• Potential disposal of sensitive information in household waste
• Using a personal computer and home wifi that can be accessed by others.

How can trustees protect themselves and their schemes?

The General Data Protection Regulation (GDPR) has highlighted the importance of managing cyber security risk and the need to make efforts to minimise the impact of security events for pension schemes. With potential risks coming from a number of angles, trustees should be seriously considering what steps they can take to mitigate the risk of becoming a victim of a cyber attack.

As data controllers, trustees are ultimately responsible for what happens to scheme data and should be asking questions to ensure they understand their scheme’s exposure to cyber-related risks. Anyone can fall victim to a phishing email, even the most experienced advisers and trustees.

Trustees should, therefore, be taking appropriate steps to build cyber resilience. This includes putting processes in place, not only to assess and minimise the risk of a cyber incident occurring, but also to ensure recovery following an incident. Being aware of how and where cyber fraud can occur is only the beginning of the story; trustees should also understand how they and their advisers will respond to an attack to reduce the risk of financial and reputational loss.

Data security should be very high on the list of trustee requirements when tendering for advisers. Trustees remain responsible for data security even when they appoint reputable

third parties, so the conversation should not stop at appointment. Frequent reviews of advisers for cyber security and data resilience should form part of the scheme’s governance procedures.

Data is seen as valuable currency to fraudsters, and members won’t thank trustees for being cavalier with their data.

It’s also essential to consider pension scams when looking at data and benefit security, as there are a number of ways members can be taken advantage of. Cold calling was once the most common approach for scammers, but their tactics have continued to evolve since a cold call ban was introduced in 2019. As many readers will be aware, TPR has launched a new campaign and is asking trustees, providers and administrators to pledge to follow the principles of the Pension Scams Industry Group (PSIG)’s Code of Good Practice. It is important that everyone can spot the warning signs to avoid becoming a victim, and trustees are encouraged also to familiarise themselves with the risks faced by their members by completing the new trustee toolkit module on pension scams.

What practical steps can trustees take now?

There are a number of steps each trustee board should consider, including:

• Updating risk registers to include controls for cyber security and pension scams 
• Ensuring trustees and their data processors undertake training on cyber security risks
• Putting in place a cyber security policy and incident response plan
• Using a cyber security checklist to undertake an annual review to ensure trustees are prepared.

With TPR’s consultation on a new combined code of practice for pension scheme governance underway, trustees should also consider how they can apply the anticipated additional governance requirements in relation to data protection. The combined code will incorporate the Governance Regulations introduced in 2018, requiring trustees to establish an effective system of governance, including internal controls, that is proportionate to the size, nature, scale and complexity of the activities of the scheme.

Taking the above steps is a good start in terms of data security, and will have the added benefit of meeting at least some of the anticipated requirements of the new combined code. The draft combined code makes further suggestions, and we recommend trustees explore these with their advisers. Even if they are not incorporated into the final code trustees may feel they are worth doing.

In essence, the key message to share is that if trustee controls are not sufficiently robust, there could be some difficult questions to face (and lessons to learn) in the aftermath of a security breach.

Member data security should be at the forefront of trustees’ governance strategies, especially in light of increased regulation in the area and the evolving threats faced.