Cyber security – a recap for trustees


Pension schemes hold large amounts of personal data which are key for providing benefits. However, this can make them a target for fraudsters and criminals who can use personal data to gain access to bank accounts or for identity theft.

As data controllers, trustees are required under GDPR and the Data Protection Act 2018 to take “appropriate technical and organisational measures” in respect of the personal data they hold. Therefore, trustees need to understand the potential risks to their scheme and adopt appropriate risk management measures.

1. Understand the risks

Administration systems are susceptible to hacks, malicious viruses and system failures. Any of these could result in administration systems being disabled, preventing access to the data and processes needed to provide benefits to members.

Trustees need to be aware that human error is also a potential area of risk. For example:

  • misidentifying scheme members because of incorrect or missed checks
  • information being shared with incorrect recipients
  • devices being lost (e.g. laptops).

2. Preventative measures 

Trustees should consider what safeguarding measures their administrators/scheme managers are currently adopting. Examples include:

  • password protection and encryption
  • minimising data being shared for certain processes and for how long
  • reviewing terms in providers’ contracts relating to data security and addressing any gaps
  • assessing whether electronic systems are secure
  • malicious communications and device security training for personnel.

3. Cyber security policy 

Trustees need to establish a cyber security policy. This should outline the trustees’ approach to cyber security and what the “incident response plan” is in the event of a breach. It should also cover the trustees’ ongoing plans for reviewing and monitoring cyber security. Where such a policy is already in place, trustees must ensure that this is regularly reviewed.

4. Risk register

Trustees must also make sure that they keep an up-to-date risk register. This should address cyber security and be regularly reviewed.

< Back to blog