The Pensions Administration Standards Association has published its cybersecurity guidance for U.K. pension plans, a news release said Thursday.
The guide consists of five sections: Controls and incident management, governance, risk assessment and risk management.
In risk assessment, for example, pension plans need to understand what they need to protect in assets, such as participants' personal data, identify threats to those assets, identify risk by considering threat likelihood, establish controls to mitigate threats and asses effectiveness of those controls and determine whether the resultant risk is acceptable.
Controls that can mitigate cybersecurity risks include monitoring and logging, penetration testing, a business continuity/disaster recovery, data protection, reviewing the infrastructure to make sure it's appropriate given identified risks, and keeping data up to date and accessible.
"The lead up to the General Data Protection Regulations, introduced in 2018, saw cyber-risk taking a steep hike up the trustee agenda," said Chris Connolly, chair of PASA's eAdmin Working Group, in a news release. "New technology and innovations present opportunity for increased efficiency, but also mean the potential security risks are growing in volume and sophistication. It's important for trustees to have a clear view of these potential danger areas and actively reassess them over time. Our guidance has been designed as a practical means to help identify where all risks and responsibilities lie, enabling schemes to put together a robust and effective plan of action to be taken should the worst unfortunately happen."
The Pensions Administration Standards Association is a professional organization that provides standards for accreditation in pension administration in the U.K.
The guide is available on PASA's website.