Cyber Security; pension schemes in 2020

In 2018, we wrote about some general areas that all scheme trustees should consider when looking at their scheme’s cyber security. So, two years on, what has changed?

Cybersecurity 110027162
Matthew Maneely
Published: 18 Sept 2020 Updated: 13 Apr 2023
Cyber security

In 2018, we wrote about some general areas that all scheme trustees should consider when looking at their scheme’s cyber security. So, two years on, what has changed?

The Pensions Regulator has made it clear that it expects all trustees to actively take steps in ensuring that the cyber security position of schemes is robust. We have talked to a number of trustees about actions and progress in this area, together with reviewing scheme minutes that show us that trustees are taking this seriously.

However, 2020 and the challenges of the COVID-19 pandemic have given fraudsters opportunity to test their abilities to extract data or reward through exploitation of the weaknesses that cyber security is meant to address. At least one well-known third party administrator has been hit by a data hacker and still more organisations have been threatened by ‘ransomware’ attacks. On a personal level, there are sophisticated ‘phishing’ emails in circulation, which purport to come from HMRC, DVLA and TV Licensing among others.

So what does this mean for Trustees?

We would recommend that you review both your IT arrangements and your security controls. Where you rely on others, ensure they are keeping their cyber security protocols under constant review. The move to remote working to accommodate lockdowns has sometimes meant that controls have been amended or their operation has been delayed. Therefore, we suggest you consider the following questions:

  • Is your data being stored on any personal computer equipment/servers?
  • Are your administrators operating using their usual secured networks?
  • How are your administrators managing the confidentiality arrangements when their staff are working in shared housing?
  • What training and reminders have your wider team - trustees, actuarial, administrative and secretarial functions, for instance – received about taking the necessary precautions with emails?
  • With the move to remote working, how have anti-virus updates been updated?

Pension schemes involve a large amount of personal data that could be valuable to people or organisations looking to profit by selling it, preventing you using it or by exploiting it themselves. Schemes also involve multiple organisations with links so criminals might seek to exploit the vulnerabilities in the whole arrangement. Larger organisations will be targeted due to the greater potential for profit-making opportunities while smaller entities organisations may also be under fire due to potentially weaker controls and less robust security. Most data loss or freezing is the result of a human error; a lost phone or laptop on a train, clicking on a link in a suspicious email or perhaps sending an unsecured email to the wrong place are all common culprits. Hence, fraudsters have increased their determination to sending emails with scam links in them.

While a sophisticated hacking attack may occur at one of the organisations that is involved with your scheme, it is much more likely that a ‘phishing trip’ is successful, bringing pension activities to a grinding halt. Therefore, the key to successful cyber security is good, basic housekeeping. Prevention is always better than resolution so review your protocols for data sharing, storage and information retrieval and ensure that all those that support the scheme are doing the same.

We know that many of you found our checklist helpful in considering the cyber security of your scheme back in 2018. We have now updated it for COVID-19 scenarios and include it again here:

Considered and security is adequate

Further action required

Every device where scheme data is held is known and logged
Every organisation with whom data is shared and who may hold potentially sensitive information is logged
Trustees use hand-held devices (smart phones, tablets or laptops) to look at board papers containing potentially sensitive member information on :


  • Devices are controlled by the individual trustee
  • Devices are corporate-controlled (automatically containing the ability to wipe all data held on them, should they be lost or compromised)
Trustees use a secure electronic board paper site, and understand who has access, and whether documents and data are capable of extraction or can only be read.
Trustee email systems contain electronic security (personal email addresses may be more vulnerable to attack)
Information provided to the trustees has been de-sensitised :
  • member numbers have been used instead of names and national insurance numbers
  • month and years have been used instead of exact dates of birth
  • other ways of making the data less sensitive have been investigated
Policies are in place setting out data exchange protocols and these are maintained
Service Level Agreements or contracts with service providers are regularly updated
  • the SLA/contract covers all necessary data provisions (GDPR and wider)
  • service providers tell you if they have issues with their logical access to systems, firewall failures or whether their virus software update is not the latest version
  • they update you on how they are keeping member personal data secure with their employees working in an uncontrolled remote environment
Data is exchanged between providers in a secure way using:--
  • secure portal
  • encrypted emails
  • mobile data devices
Computers including laptops are password-protected with strong password security which must be changed on a regular basis
There are suitable security measures in place when members access their data online
Where data is held overseas, data security complies with the same standards expected and required by UK legislation
Appropriate communications have been made to members about the data that is held by the scheme including any changes to the methods during COVID-19 remote working
Systems are in place to ensure that if members refuse to allow certain processes to occur on their data, these wishes are adhered to
There is a clear protocol to follow for breaches or near misses of data policies and procedures
You are comfortable that this will:
  • inform all relevant parties
  • notify the right people to meet your reporting requirements
  • ensure remediation steps are taken to minimise the damage and to put it right

If you are satisfied that your controls are adequate, have you tested them? You could ask your IT department to send out suspicious emails and share the results with your team. Alternatively, you could question each of your providers and ask them about their own testing protocols and analyse the results.

Given the continual changes to day-to-day practices that we are all experiencing, what is clear is that standing still is not an option so, if you do nothing else, schedule a regular review of your current protocols and ensure you are actioning any suggested improvements to prevent potential hazards.

By necessity, this briefing can only provide a short overview and it is essential to seek professional advice before applying the contents of this article. This briefing does not constitute advice nor a recommendation relating to the acquisition or disposal of investments. No responsibility can be taken for any loss arising from action taken or refrained from on the basis of this publication. Details correct at time of writing.

Ref: 127920lw


This article was previously published on Smith & Williamson prior to the launch of Evelyn Partners.