A data security breach could cost trustees up to £500,000 but many are unaware of the risks they are running.
As if trustees didn’t have enough on their plates with the constant stream of regulatory changes, funding challenges and low bond yields, they also need to ensure they are keeping on top of their data security.
As the data controllers for schemes, the ultimate responsibility for information security lies with trustees. This means that they could be liable for a fine of up to £500,000 in the event of a breach.
To help trustees keep on top of this issue, we’ve looked at five of the key risks they might be facing, and how they can mitigate them.
1. Supplier security
Trustees use a number of different suppliers, from lawyers and actuaries to custodians. However, what many trustees may not be aware of is that they could be liable for the damage if one of those suppliers has an information security breach. This means that trustees need to ensure that they have done due diligence on their suppliers.
Asking your supplier if they have ISO270001 is a very straightforward question”
One thing that trustees can do is to look at their suppliers’ information security accreditation, says Monica Cope, chief operating officer at Veratta. Ideally, trustees should look for suppliers who have an accreditation like ISO27001 or the Government’s cyber essential scheme.
“Asking your supplier if they have ISO270001 is a very straightforward question and that ticks the biggest box of all in relation to information security,” she explains.
2. Suppliers of suppliers
Even when trustees have done due diligence on their lawyers, consultants and administrators, they could still be at risk further down the supply chain. For instance, the actuary may employ a shredding company that deals with waste, or a cleaning company. It is absolutely crucial for trustees to ensure that due diligence has been carried out throughout the supply chain, as they could still be liable for any breaches that occur.
One thing trustees can do is arrange for an assurance exercise to be carried out on their schemes. This is where an independent auditor comes in to review the controls that are in place. They will evaluate the trustees’ controls as well as those of their suppliers and their suppliers’ suppliers.
3. Phone access
It used to be the case that employees were given company phones if they were expected to access work emails when out of the office. These days, the company phone has gone out of fashion, with many companies providing apps which allow employees to access work files and emails on their personal mobiles.
It’s not just phones either, people also access company documents through personal laptops, iPads and save files to USBs.
While this may cut costs (giving everyone a company laptop certainly isn’t cheap) the downside is that it creates a significant information security risk.
Organisations, particularly those that store sensitive consumer data, want to be able to control where information is stored and processed, making sure all devices are encrypted with ‘strong’ passwords that are changed regularly.
If they are allowed to bring their own devices, how do you manage them?
But if your employees are working from personal devices, it’s very hard to ensure that password protection is sufficient.
Furthermore, you want to be able to ensure that if a mobile device is lost or stolen, it can be wiped. This is relatively straightforward to do with a company-owned device (assuming the employee reports it missing) but significantly less easy with a personal iPad.
One solution, says Cope, is mobile device management software. “If I was a trustee, I would be asking the question ‘can your staff pair their own devices?’ If the answer is no, that’s great, but how do you actually check they’re not doing that? How are you reviewing that?”
She continues, “If they are allowed to bring their own devices, how do you manage them? There’s mobile device management software where if an employee is using their own device for emails you can wipe the corporate side. But they must inform you if they lose it, so you would have that policy put in writing to your staff: ‘Ok you can use your own devices but if you lose it, you must tell me and I must be able to wipe any corporate information’.”
4. Data storage
Whether it’s online records held in a data centre or paper records stored in somebody’s garage, trustees face a myriad of risks if they do not understand how and where their data is stored.
One thing trustees need to ensure that there are physical controls in place to track that information. A business continuity plan is crucial to make sure that hard copies are backed up virtually and that digital copies are protected from security breaches.
5. Cyber security
Schemes often have access to a lot of personal data about members and so cyber breaches are a significant concern. One only needs to look at the recent hacking of the Ashley Madison extra-marital affairs website to see how much reputational damage a cyber-security breach can cause.
Cope encourages organisations that are processing information to carry out penetration testing. This is when you bring in “ethical hackers” in to test your network and see if there are any vulnerabilities that could be exploited.
It’s important that you do your patching as the updates are released otherwise the hackers know where to exploit”
“That’s not an overly expensive exercise but people shy away from it. However in this day and age it’s an exercise that you would expect organisations processing information to carry out,” says Cope.
On a network level, trustees need to make sure that firewalls are in place, and that there is sufficient malware protection installed. They also need to make sure that system and application software are applied in a timely manner.
“For example, Microsoft regularly publish security patches to potential vulnerabilities. Once those security patches are identified and published, hackers become aware of vulnerabilities to exploit, so it’s important that you do your patching as the updates are released otherwise the hackers know where to exploit,” Cope explains.
It’s difficult for trustees to keep up with all the changes to pensions legislation, so keeping up with all the information security changes and challenges as well is tough. However it’s crucial that trustees stay on top of this to avoid hefty fines and reputational damage if something goes wrong.
Trustees should also remember that information security is not just a one-off challenge. Processes need to be tested and updated regularly as new threats emerge.