If I ever claimed to be an expert on IT systems and processes, those who work in our firm’s IT department would struggle to contain their amusement.
Along with many other forty-somethings, I am a proficient user of IT at work and at home – until something goes wrong. Then I find it frustrating because I realise that I am pretty clueless about how everything really works; in fact, I need an expert to put it right so that I can go back to pressing buttons and swiping screens to my heart’s content. I suspect that many pension plan trustees are in a similar place.
The Pensions Regulator’s recent guidance on cybersecurity leaves me feeling cold because it confirms the stark reality that one weak link in any chain may spell reputational or financial disaster for a pension plan. It seems like a very difficult thing to protect against.
Building cybersecurity “resilience” and understanding the cybersecurity footprint requires more IT expertise than most trustee boards possess as a group. The threat is not new of course – some trustee boards will already have made considerable steps towards understanding how their data is protected and how their IT systems are tested and maintained. The advent of GDPR has also helped to force attention on data security.
The Pensions Regulator makes it clear that cyber risk “is an issue which all trustees and scheme managers, regardless of the size or structure of their scheme should be alert to.” Trustees are accountable for the security of data and scheme assets, even where day to day functions are outsourced. Cybersecurity should be an integral part of the scheme’s internal controls processes, it should be considered when selecting third party suppliers and suitable provisions should be included in contracts.
“The cyber risk is complex and evolving, and requires a dynamic response. Your controls, processes and response plan should be regularly tested and reviewed. You should be regularly updated on cyber risks, incidents and controls, and seek appropriate information and guidance on threats.”
I suggest that trustees read and consider the cybersecurity guidance and add it to the agenda for the next meeting to assess where they stand in relation to TPR’s expectations. Access to IT experts is likely to be required and independent assessment may be appropriate. But given that I am not a computer “geek”, I will leave it there…