We have previously commented on how the cyber threat to every UK pension scheme must now be very firmly at the top of every trustee’s risk register. GDPR has only served to highlight a fundamental challenge to the cybersecurity of schemes, a challenge that seems to evolve and grow by the week.
PASA has just published some important guidance on cybersecurity risk and risk management to help trustees and their schemes manage the risks. That guidance covers five main areas: risk assessment, governance, risk management, controls and incident management.
Risk assessment. To carry out successful risk assessments, the guidance suggests that trustees must agree what they are trying to protect from cyber risks (e.g. member data), identify the threats, look at relevant controls in place and then assess the likely impact of the risk. They can then go on to consider risk management and the controls in place to assist with that. Continue Reading