Introduction to cyber security: A guide for pension scheme trustees

Introduction to cyber security: A guide for pension scheme trustees

Understanding the basics

As a trustee of a UK pension scheme, your role is pivotal in safeguarding both the financial assets and the sensitive personal data of the scheme’s members. In the digital age, effective cyber security is essential in fulfilling this duty. This guide aims to provide you with essential knowledge and practical steps to assess the cyber security measures implemented by your pensions administrator.
 

Key questions to consider

• What are the current cyber security policies in place?
  Request a summary of the cyber security policies. Look for clear guidelines on data protection, access controls, and incident response strategies. 
• How frequently are these policies reviewed and updated?
  Cyber threats rapidly evolve, making it crucial for policies to be regularly reviewed and updated. 
• What training and awareness programmes are provided to staff?
  Human error is a significant cause of data breaches. Ensure there are regular training sessions to keep staff aware of potential cyber threats. 
• How is data encryption managed?
  Encryption is vital for protecting data. Inquire about the types of encryption used for data at rest and in transit. 
• Are there regular cyber security audits and penetration tests?
  Independent audits and penetration tests can reveal vulnerabilities. Find out how often these are conducted and by whom. 
• How is incident management handled?
  Ask about the procedures in place for responding to a cyber security incident, including detection, containment, and notification processes. 
• What processes are in place to monitor and manage cyber threats and vulnerabilities? New threats and vulnerabilities are emerging all the time. Find out how these are being monitored and managed. 

Performing basic analysis

Without needing technical expertise, you can still conduct some basic analysis:

• Review audit results: Examine the latest cyber security audit summaries for any identified risks or vulnerabilities and how they were addressed. 
• Check compliance certifications: Ensure that your pensions administrator complies with relevant regulations like GDPR and any industry-specific standards such as PASA’s Cyber Security Guidance. 
• Assess communication clarity: The way cyber security information is communicated can be indicative of the robustness of the policies. Clear, concise, and regular communication is a positive sign. 

Understanding independent certifications

Independent certifications can provide an additional layer of assurance regarding the cyber security measures in place. Key certifications to look for include:

• Cyber Essentials Plus: This UK government-backed scheme is designed to help organisations protect themselves against a range of common cyber-attacks. The ‘Plus’ certification involves a hands-on independent technical verification, providing a higher level of assurance. 
• ISO Standards: Look for adherence to relevant ISO frameworks, such as ISO/IEC 27001. This standard provides a framework for information security management systems (ISMS) and offers comprehensive guidelines for keeping data secure. ISO 22301 Business Continuity Management is designed to protect organisations from disruption. 

Seeking independent support

Most professional trustee governance service providers include cyber security enquiries as part of their offering and can provide some level of expertise to support trustee boards. Consider the following avenues for additional support:

• Engage with your governance service provider: They often have the necessary questions and expertise to assist trustee boards in navigating cyber security concerns. 
• Consult with the scheme’s sponsor: The sponsor’s in-house teams may have relevant expertise and resources that can be leveraged for support. 
• Specialist consultancies: In the market today, many administration evaluation and audit firms possess cyber expertise. They can offer in-depth analysis and support, especially if more detailed reviews are required or issues are identified during basic assessments. 

Check out official guidance

Trustees should refer to the Pension Regulator’s guidance on “Cyber security principles for pension schemes” for detailed insights and best practices tailored for the pension sector. 

As a trustee, understanding and evaluating the cyber security landscape of your pensions administration is critical. This guide provides a starting point for your assessment. Remember, staying informed and proactive is key to safeguarding the interests of your scheme’s members.