Trustees are being urged to push their sponsoring employers for better cyber security protocols after a government study found many do not have comprehensive action plans.
One in 10 FTSE 350 representatives said their firm operated without a response plan for a cyber incident, the Department for Digital, Culture, Media and Sport (DCMS) also revealed in its 2017 Health Check report.
Meanwhile, less than a third (31%) received comprehensive cyber risk information, and just 2% of boards received comprehensive training.
This is despite 54% of boards ranking cyber risk as a top or group-level risk, and another 57% saying they clearly understood the potential impact of a data breach.
The largest proportion (44%) said they only discussed cyber risk biannually or when something goes wrong, with another 27% saying boards had no role to play in response to cyber incidents.
Between April and June the department surveyed 105 hand-picked FTSE 350 board members, 77% of whom held non-executive roles, and with 65% of those chairing their company's audit committee.
Minister for digital Matt Hancock said recent attacks, such as May's WannaCry ransomware attack which crippled the National Health Services (NHS), demonstrated the need for firms to boost their cyber security.
"We have world-leading businesses and a thriving charity sector but recent cyber attacks have shown the devastating effects of not getting our approach to cyber security right," he said. "These new reports show we have a long way to go until all our organisations are adopting best practice."
Charities were also surveyed, with a separate report revealing that most do not have internal specialist staff, with cyber security included in the remit of senior staff with multiple responsibilities, such as a chief executive. This means the issue is often deprioritised and lacks investment, the report said.
Pensions Management Institute vice president Lesley Carline said trustees have a duty to press their sponsors to improve cyber-security processes.
"Trustees are responsible for members' data, whoever is holding it on their behalf," she said. "Some of the agreements that are in place are way out of date, and don't cover modern forms of communication.
"If the administration is done in-house by the employer, they have to look at the agreement they have with the employer. But, if the administration is in-house, it is 50:50 as to whether there would be an agreement. Some do it purely on trust, so therefore this area is not documented. It is a question of getting it evidenced that the employer is taking appropriate steps and has appropriate controls in place to cover the members' data.
"But, it doesn't matter whether the administration is in-house or outsourced, there is a duty on the trustees to ensure their members' data is secure."
Meanwhile, just 6% of the FTSE 350 representatives surveyed were "completely prepared" for the EU's General Data Protection Regulation (GDPR), which will soon be brought into UK law through a new Data Protection Bill.
The GDPR, which will create one system to protect the data rights for all EU citizens, came into force on 24 May, but will apply from 25 May 2018. Third-party administrators (TPA) will have a stronger obligation to protect member data, and could face a fine of up to €20m (£17m) in the case of a breach.
Although 97% of firms said they were aware of the regulation, just 13% said it was regularly considered by their board. Respondents were most concerned about complying with individuals' rights to personal data deletion. This was closely followed by the tightening of consent requirements.
Pensions and Lifetime Savings Association (PLSA) senior policy adviser for defined contribution (DC) Matthew Burrell said it was important for all data holders, including pension scheme trustees, to get up to speed with the regulations.
"GDPR and the anticipated act represent a significant strengthening of the UK's data protection regime," he said. "It is essential that senior decision-makers are briefed on this issue as some of the IT changes essential for ensuring compliance could have significant lead-in times.
"With an additional focus on systems and processes, as well as substantially larger fines for non-compliance, fiduciaries in all sectors should be taking note of the upcoming changes."
RSM head of pensions Ian Bell added it was important for trustees to ensure their schemes' entire chain was prepared: "Trustees should have cyber risk highlighted as a key risk on their risk register and tailored training on the subject is essential in order to identify areas where controls need to be understood or enhanced.
"Trustees need to start by understanding their cyber footprint and identifying any weaknesses that can be exploited by hackers. This will include understanding what controls their advisers have and what data is maintained. This can link nicely with any ongoing project on GDPR compliance.
"If the worst happens, an essential element of any cyber strategy is the immediate response plan. This has to be capable of being triggered within 24 hours and certainly can't wait for the next trustee meeting. This is particularly essential for DC trustees if member data were to fall into the wrong hands and could, as an example, invoke a blackout period while the extent of the breach was explored further."
In June, the National Audit Office revealed online fraud has become the most commonly reported crime across England and Wales, but warned too many anti-fraud campaigns gave out confusing messages.
Defined benefit (DB) schemes that provide GMPs must revisit and, where necessary, top-up historic cash equivalent transfer values (CETVs) that have been calculated on an unequal basis, a landmark court judgment said last week.
Technology platform PensionSync has partnered with quantum employment pioneer My Digital to help contractors and employers manage pensions as more workers do temporary work for multiple firms.
Capita Pensions has partnered with data technology solutions firm Intellica to tackle the GMP equalisation challenges facing pension schemes.
The Hewlett Packard Retirement Benefit Plan has reappointed EQ Paymaster as its third-party administrator (TPA) for five years.
Schemes and their administrators have rightly received much praise for ensuring that pensions have continued to be paid in full and on time during an unprecedented period of disruption.