Cybersecurity consequences

Does “Cybersecurity” Leave You Cold?

Advertisement

If I ever claimed to be an expert on IT systems and processes, those who work in our firm’s IT department would struggle to contain their amusement.

Along with many other forty-somethings, I am a proficient user of IT at work and at home – until something goes wrong. Then I find it frustrating because I realise that I am pretty clueless about how everything really works; in fact, I need an expert to put it right so that I can go back to pressing buttons and swiping screens to my heart’s content. I suspect that many pension plan trustees are in a similar place.

Advertisement

The Pensions Regulator’s recent guidance on cybersecurity leaves me feeling cold because it confirms the stark reality that one weak link in any chain may spell reputational or financial disaster for a pension plan. It seems like a very difficult thing to protect against.

Building cybersecurity “resilience” and understanding the cybersecurity footprint requires more IT expertise than most trustee boards possess as a group. The threat is not new of course – some trustee boards will already have made considerable steps towards understanding how their data is protected and how their IT systems are tested and maintained. The advent of GDPR has also helped to force attention on data security.

Advertisement

The Pensions Regulator makes it clear that cyber risk “is an issue which all trustees and scheme managers, regardless of the size or structure of their scheme should be alert to.” Trustees are accountable for the security of data and scheme assets, even where day to day functions are outsourced. Cybersecurity should be an integral part of the scheme’s internal controls processes, it should be considered when selecting third party suppliers and suitable provisions should be included in contracts.

Advertisement

“The cyber risk is complex and evolving, and requires a dynamic response. Your controls, processes and response plan should be regularly tested and reviewed. You should be regularly updated on cyber risks, incidents and controls, and seek appropriate information and guidance on threats.”

I suggest that trustees read and consider the cybersecurity guidance and add it to the agenda for the next meeting to assess where they stand in relation to TPR’s expectations. Access to IT experts is likely to be required and independent assessment may be appropriate. But given that I am not a computer “geek”, I will leave it there…

© Copyright 2018 Squire Patton Boggs (US) LLP
This article was written by Lynn Housecroft of Squire Patton Boggs (US) LLP

Published by

National Law Forum

A group of in-house attorneys developed the National Law Review on-line edition to create an easy to use resource to capture legal trends and news as they first start to emerge. We were looking for a better way to organize, vet and easily retrieve all the updates that were being sent to us on a daily basis.In the process, we’ve become one of the highest volume business law websites in the U.S. Today, the National Law Review’s seasoned editors screen and classify breaking news and analysis authored by recognized legal professionals and our own journalists. There is no log in to access the database and new articles are added hourly. The National Law Review revolutionized legal publication in 1888 and this cutting-edge tradition continues today.