Skip to main content
MENU
Subscribe
  • Subscribe
  • Account
  • LOGIN
  • Topics
    • Alternatives
    • Consultants
    • Coronavirus
    • Courts
    • Defined Contribution
    • ESG
    • ETFs
    • Hedge Funds
    • Industry Voices
    • Investing
    • Money Management
    • Opinion
    • Partner Content
    • Pension Funds
    • Private Equity
    • Real Estate
    • Russia-Ukraine War
    • SECURE Act 2.0
    • Special Reports
    • White Papers
  • Rankings & Awards
    • 1,000 Largest Retirement Plans
    • Top-Performing Managers
    • Largest Money Managers
    • DC Money Managers
    • DC Record Keepers
    • Largest Hedge Fund Managers
    • World's Largest Retirement Funds
    • Best Places to Work in Money Management
    • Excellence & Innovation Awards
    • Eddy Awards
  • ETFs
    • Latest ETF News
    • Fund Screener
    • Education Center
    • Equities
    • Fixed Income
    • Commodities
    • Actively Managed
    • Alternatives
    • ESG Rated
  • ESG
    • Latest ESG News
    • The Institutional Investor’s Guide to ESG Investing
    • Climate Change: The Inescapable Opportunity
    • Impact Investing
    • 2022 ESG Investing Conference
    • ESG Rated ETFs
  • Defined Contribution
    • Latest DC News
    • DC Money Manager Rankings
    • DC Record Keeper Rankings
    • Innovations in DC
    • Trends in DC: Focus on Retirement Income
    • 2022 Defined Contribution East Conference
    • 2022 DC Investment Lineup Conference
  • Searches & Hires
    • Latest Searches & Hires News
    • Searches & Hires Database
    • RFPs
  • Performance Data
    • P&I Research Center
    • Earnings Tracker
    • Endowment Returns Tracker
    • Corporate Pension Contribution Tracker
    • Pension Fund Returns Tracker
    • Pension Risk Transfer Database
    • Future of Investments Research Series
    • Charts & Infographics
    • Polls
  • Careers
  • Events
    • View All Conferences
    • View All Webinars
    • 2022 Innovation Investing Conference
    • 2022 Defined Contribution East Conference
    • 2022 ESG Investing Conference
    • 2022 DC Investment Lineup Conference
    • 2022 Alternatives Investing Conference
Breadcrumb
  1. Home
  2. DEFINED CONTRIBUTION
November 25, 2019 12:00 AM

Cyberattack potential puts pressure on record keepers

U.K. funds, regulators want robust protections in place to stop breaches

Paulina Pielichata
  • Tweet
  • Share
  • Share
  • Email
  • More
    Reprints Print
    Louise Williamson
    Charles Shearn
    Louise Williamson said U.K. master trusts now are required to have strong measures to thwart hackers.

    Record keepers are under pressure from retirement plan trustees and regulators to protect participant data in the U.K. after several companies such as Tesco PLC and British Airways PLC became targets of cyberattacks.

    The European Union's General Data Protection Regulation catalyzed a heightened focus on cyber data theft in the U.K. Since 2018, the regulation has required companies that do business in the EU to shield their customers' private information. Failure to comply with GDPR rules could result in fines of up to 4% of a company's global revenues.

    To fend off cybersecurity attacks, sources said, record keepers have trained employees to respond to incidents and paid for system and software upgrades. Cyberrisk is an ever-growing risk, said Louise Williamson, risk and compliance manager at LifeSight, London, the £3.5 billion ($4.5 billion) defined contribution master trust of Willis Towers Watson PLC. Record keepers are now required by both trustees and The Pensions Regulator to take action in the event of cyberattacks, including an ongoing proactive review, she said.

    For example, to secure the U.K. regulator's permission to remain in the market beyond 2019 under the U.K. master trust regulation, master trusts have been, in addition to GDPR, required to get their own record keeping and their outsourced record keepers to adhere to the U.K. National Standards Body's information security standards and to report ongoing cyberincidents to trustees.

    Before granting authorization this summer, Ms. Williamson said, the regulator required master trusts to confirm that firewalls were installed; to share details of information security infrastructure; to confirm that reporting on cybersecurity to trustees was in place; and, where possible, to present evidence that systems have been tested according to standards such as the quality management system standard, ISO 27001.

    Retirement plan trustees also say they are employing a tougher audit of administration providers that are storing data on their participants. Trustees are ultimately obligated to report record-keeper data breaches within 72 hours of an incident to the U.K. Information Commissioner's Office.

    "The trustees are ultimately responsible for any data breach and nobody else," said Vassos Vassou, professional trustee at independent trustee firm Dalriada Trustees Ltd. in London.

    Mr. Vassou also wants to ensure that record keepers follow U.K. government standards that guide organizations on how to protect information systems against threats. Further, he wants to make sure that data workers are properly vetted and physical protections such as locks are in place.

    "We ask record keepers (annually) who are the individuals responsible for cybersecurity and what protections (firms) have in place as well as whether they comply with global standards such as the international information security standard known as ISO 27001 and the U.K. National Cyber Security Centre's Cyber Essentials certification," he said.

    Third-party providers

    Under the new master trust requirements, effective Nov. 5, master trusts are liable for the risks their participants' data is exposed to if personal data, such as bank account details and addresses, is held by external providers, sources said.

    Ian Bell, partner and head of pensions at audit and advisory firm RSM U.K. Group LLP, London, said in a telephone interview that "the bigger cyberrisk" is potentially not inside of the record-keeping firms themselves but in the multitude of subcontractors they are using and in "how the data is being moved between the providers."

    "We think the use of email to transfer data should be discouraged," Mr. Bell said, adding the firm is advising that data should be encrypted and online portals should be used.

    Dalriada's Mr. Vassou said the source of data, including the format in which data is arriving from third-party providers, is "a real risk," adding that he prefers online platforms that allow the participant data to be downloaded as opposed to sent via emails, which are targets for hackers.

    Mr. Vassou added that many record keepers use older technology more prone to cyberthreats. "When the data is transferred from one platform that is older to another, the risks are higher," he said. "We are working with record keepers to speed up their transition from old systems to new more secure systems."

    But Mr. Vassou also said that some record keepers and third-party providers did not share the details of what was learned from simulated data breaches.

    "Some firms could not tell us what gaps in security they have found during a simulated cyberattack," he said. "Instead they simply reassured us that work was undertaken to close those gaps," he said.


    Human error

    Sources also agreed that the human risk remains a major factor in record-keeping firms' cybersecurity. LifeSight's Ms. Williamson said that many of the data breaches happen due to a "human error" such as a dangerous email opened by an employee.

    To counter these attacks, "we conduct deliberate phishing exercises," she said.

    "For employees who fail these exercises because they opened a suspicious email, we send them to in-house training," she added.

    Record keepers should at the very least ensure that their employees are trained not to be a victim of an attack, said Girish Menezes, head of administration services at record-keeping firm Premier Pensions Management Ltd., who is also a board member of The Pensions Administration Standards Association in the U.K. He added that "malicious links or attachments are increasingly embedded into emails that look like genuine emails."

    However, for Mr. Menezes, record-keeping employee training is only half that battle because easy access for participants to their data creates cyberrisks as well.

    A biometric verification such as fingerprints could help record keepers to avoid that, he said.

    But for David Bird, LifeSight's head of proposition development, multiple devices can make access to the data safer. "We want participants to be able to access the data on mobile devices," he said.

    "We apply multifactor authentication," which requires receiving password via text to access the data on the computer, for example.


    Split processes

    To avoid cyberrisks, Mr. Menezes said his firm also splits workflows and has established processes in such a way that it is difficult for "staff to make mistakes."

    "At Premier, almost none of the critical staff has laptops," he said, adding that this means employees access the system through a locked-down computer rather than working from home. The firm's employees do not have access to all the information and systems but rather just the system that is connected to their respective workflow.

    LifeSight's Mr. Bird concurred. "In my role, I don't need to have access to member data, so I'm not able to see the data internally," he said.

    Mr. Bird added that Willis Tower Watson's staff works from registered laptops, which are authenticated from separate devices.

    Related Articles
    London funds call on cyberrisk assessment for investments
    Audit trail cybersecurity issues draw questions at Senate hearing
    Client retention, cybersecurity are big concerns for advisers – survey
    Recommended for You
    Rene Martel
    Managed accounts are coming up short, some say
    Progressive_1550_i.jpg
    Progressive removes Fidelity midcap option from 401(k) plan
    Market-performance_i.jpg
    401(k) participants traded calmly during April market turmoil, Alight says
    OCIO, Anchor in Rough Seas
    Sponsored Content: OCIO, Anchor in Rough Seas

    Reader Poll

    May 9, 2022
    SEE MORE POLLS >
    Sponsored
    White Papers
    Are Factors a Thing of the Past?
    Q2 2022 Credit Outlook: Carry On
    Leverage does not equal risk
    Is there a mid-cap gap in your DC plan?
    Out of the Shadows: The Revolution in Shadow Accounting
    The pivotal role of fixed income markets in the ESG revolution
    View More
    Sponsored Content
    Partner Content
    The Industrialization of ESG Investment
    For institutional investors, ETFs can make meeting liquidity needs easier
    Gold: the most effective commodity investment
    2021 Investment Outlook | Investing Beyond the Pandemic: A Reset for Portfolios
    Ten ways retirement plan professionals add value to plan sponsors
    Gold: an efficient hedge
    View More
    E-MAIL NEWSLETTERS

    Sign up and get the best of News delivered straight to your email inbox, free of charge. Choose your news – we will deliver.

    Subscribe Today
    May 9, 2022 page one

    Get access to the news, research and analysis of events affecting the retirement and institutional money management businesses from a worldwide network of reporters and editors.

    Subscribe
    Connect With Us
    • RSS
    • Twitter
    • Facebook
    • LinkedIn

    Our Mission

    To consistently deliver news, research and analysis to the executives who manage the flow of funds in the institutional investment market.

    About Us

    Main Office
    685 Third Avenue
    Tenth Floor
    New York, NY 10017-4036

    Chicago Office
    130 E. Randolph St.
    Suite 3200
    Chicago, IL 60601

    Contact Us

    Careers at Crain

    About Pensions & Investments

     

    Advertising
    • Media Kit
    • P&I Content Solutions
    • P&I Careers | Post a Job
    • Reprints & Permissions
    Resources
    • Subscribe
    • Newsletters
    • FAQ
    • P&I Research Center
    • Site map
    • Staff Directory
    Legal
    • Privacy Policy
    • Terms and Conditions
    • Privacy Request
    Pensions & Investments
    Copyright © 1996-2022. Crain Communications, Inc. All Rights Reserved.
    • Topics
      • Alternatives
      • Consultants
      • Coronavirus
      • Courts
      • Defined Contribution
      • ESG
      • ETFs
      • Hedge Funds
      • Industry Voices
      • Investing
      • Money Management
      • Opinion
      • Partner Content
      • Pension Funds
      • Private Equity
      • Real Estate
      • Russia-Ukraine War
      • SECURE Act 2.0
      • Special Reports
      • White Papers
    • Rankings & Awards
      • 1,000 Largest Retirement Plans
      • Top-Performing Managers
      • Largest Money Managers
      • DC Money Managers
      • DC Record Keepers
      • Largest Hedge Fund Managers
      • World's Largest Retirement Funds
      • Best Places to Work in Money Management
      • Excellence & Innovation Awards
      • Eddy Awards
    • ETFs
      • Latest ETF News
      • Fund Screener
      • Education Center
      • Equities
      • Fixed Income
      • Commodities
      • Actively Managed
      • Alternatives
      • ESG Rated
    • ESG
      • Latest ESG News
      • The Institutional Investor’s Guide to ESG Investing
      • Climate Change: The Inescapable Opportunity
      • Impact Investing
      • 2022 ESG Investing Conference
      • ESG Rated ETFs
    • Defined Contribution
      • Latest DC News
      • DC Money Manager Rankings
      • DC Record Keeper Rankings
      • Innovations in DC
      • Trends in DC: Focus on Retirement Income
      • 2022 Defined Contribution East Conference
      • 2022 DC Investment Lineup Conference
    • Searches & Hires
      • Latest Searches & Hires News
      • Searches & Hires Database
      • RFPs
    • Performance Data
      • P&I Research Center
      • Earnings Tracker
      • Endowment Returns Tracker
      • Corporate Pension Contribution Tracker
      • Pension Fund Returns Tracker
      • Pension Risk Transfer Database
      • Future of Investments Research Series
      • Charts & Infographics
      • Polls
    • Careers
    • Events
      • View All Conferences
      • View All Webinars
      • 2022 Innovation Investing Conference
      • 2022 Defined Contribution East Conference
      • 2022 ESG Investing Conference
      • 2022 DC Investment Lineup Conference
      • 2022 Alternatives Investing Conference