Michael Klimes explores what practical steps schemes can take to protect members from hacking and identity fraud
Technological change has made member data vulnerable to cyber criminals, and trustees must protect it. Schemes have to craft a policy that complies with the General Data Protection Regulation (GDPR), which comes into force in May 2018, but also stays ahead of the criminals.
There are three ways trustees can develop cyber security. A board can assign the job to one trustee who researches and then makes recommendations. This method was proposed at PP's Defined Contribution (DC) Conference on 5 September by Capita Employee Benefits head of DC strategy and proposition Anish Rav.
Alternatively, a sub-committee can be given the task or a working party can be set up. The working party is a shorter-term option and disbanded when the cyber security policy is functional. The approach a scheme takes depends on the scheme's size, the support it might get from the sponsor and balance of lay and professional trustees.
The best way?
Capital Cranfield professional trustee Allan Course thinks Rav's proposal is a good one when thinking about incentives.
"I have always agreed with personal ownership of tasks from a motivational point of view. This principle can apply to topics other than cyber-crime like property investment or administration," he says.
"One person looks into that subject, makes recommendations and then the board challenges it. The advantage is that the work is more likely to get done than if a committee does it."
If the scheme has the resources, it could create a small working group to take on cyber security.
"Normally you would say cyber security falls within the operation committee, but I would prefer a three-person working group to figure out what the cyber risk is because it disbands when the work is done," Course adds.
Operation committees tend to be constrained as they have many duties like communications and will spend more time on core competencies. "So there is risk that cyber security will not get the attention it needs," he continues.
Association of Member Nominated Trustees (AMNT) co-chair David Weeks sees more trustee boards going down the working party route.
"There is great concern to ensure schemes are working in an appropriate way on cyber security. Drafting by committee is not easy. It is better if a small group of individuals undertake the details and report to the trustee board. My assessment is that it will happen more."
Veratta client manager Tom Nimmo thinks the crucial point is to find people on the board that have the authority to push cyber security forward and stay engaged.
"The advantages of having someone named at board level with that responsibility is the work gets done but you need to keep on top of it [because cyber threats evolve]. All those things combine to make it a full-on role."
While some schemes have the resources to appoint a group of people to work on cyber security policy, small to medium-sized schemes might not.
These schemes should consider the appointment of a professional trustee.
"They could benefit more from professional trustee engagement. Perhaps professional trustees are in a good position to fill this role as they have more time to devote to this and can call on greater resources."
A concept trustees must keep in mind whatever approach they take on cyber security is what RSM national head of pensions Ian Bell calls the "scheme cyber footprint".
"By this we mean where does scheme data flow to and whom? Data will flow to the actuary and administrators but does it go beyond there? When you have established your cyber footprint you can see where data security needs to be and what has to be done to comply with GPDR," he says.
The delegated person or group who tries to build the footprint requires the full support of the board for it to be built successfully.
"It has to be driven through the trustee board and involve all other parties in the project, otherwise they won't consider it in enough depth. They have to consider all aspects of scheme operations that are part of the scheme footprint. Understanding the work they have done as part of the project is important," he continues.
Apart from the scheme footprint there are two final points to make about the creation of a cyber security policy, according to Squire Patton Boggs partner Wendy Hunter.
"It is up to the trustee board to decide what their delegated group proposed should be implemented. Therefore what the trustee board must not do is divest themselves of responsibility. Also, there is not one right way to do [cyber security policy] as each scheme is different."
Trustees can call on the help of experts to develop cyber security but they are ultimately responsible for it.
Defined benefit (DB) schemes that provide GMPs must revisit and, where necessary, top-up historic cash equivalent transfer values (CETVs) that have been calculated on an unequal basis, a landmark court judgment said last week.
Technology platform PensionSync has partnered with quantum employment pioneer My Digital to help contractors and employers manage pensions as more workers do temporary work for multiple firms.
Capita Pensions has partnered with data technology solutions firm Intellica to tackle the GMP equalisation challenges facing pension schemes.
The Hewlett Packard Retirement Benefit Plan has reappointed EQ Paymaster as its third-party administrator (TPA) for five years.
Schemes and their administrators have rightly received much praise for ensuring that pensions have continued to be paid in full and on time during an unprecedented period of disruption.