Skip to main content
MENU
Subscribe
  • Sign Up Free
  • LOGIN
  • Subscribe
  • Topics
    • Alternatives
    • Artificial Intelligence
    • Consultants
    • Defined Contribution
    • ESG
    • ETFs
    • Face to Face
    • Hedge Funds
    • Industry Voices
    • Investing
    • Money Management
    • Partner Content
    • Pension Funds
    • Private Equity
    • Real Estate
    • Regulation
    • SECURE 2.0
    • Special Reports
    • Washington
    • White Papers
  • Rankings & Awards
    • 1,000 Largest Retirement Plans
    • Top-Performing Managers
    • Largest Money Managers
    • DC Money Managers
    • DC Record Keepers
    • Largest Hedge Fund Managers
    • World's Largest Retirement Funds
    • Best Places to Work in Money Management
    • Excellence & Innovation Awards
    • WPS Innovation Awards
    • Influential Women in Institutional Investing 2023
    • Eddy Awards
  • ETFs
    • Latest ETF News
    • Fund Screener
    • Education Center
    • Equities
    • Fixed Income
    • Commodities
    • Actively Managed
    • Alternatives
    • ESG Rated
  • ESG
    • Latest ESG News
    • The Institutional Investor’s Guide to ESG Investing
    • ESG Sustainability - Gaining Momentum
    • ESG Investing | Industry Brief
    • Innovation in ESG Investing
    • 2023 ESG Investing Conference
    • ESG Rated ETFs
    • Divestment Database
  • Defined Contribution
    • Latest DC News
    • The Plan Sponsor's Guide to Retirement Income
    • DC Money Manager Rankings
    • DC Record Keeper Rankings
    • Innovations in DC
    • DC Plan Design: Improving Participant Outcomes
    • 2023 Defined Contribution East Conference
  • Searches & Hires
    • Latest Searches & Hires News
    • Searches & Hires Database
    • RFPs
  • Research Center
    • The P&I Research Center
    • Earnings Tracker
    • Endowment Returns Tracker
    • Corporate Pension Contribution Tracker
    • Pension Fund Returns Tracker
    • Pension Risk Transfer Database
  • Careers
  • Events
    • View All Conferences
    • View All Webinars
Breadcrumb
  1. Home
  2. DEFINED CONTRIBUTION
November 25, 2019 12:00 AM

Cyberattack potential puts pressure on record keepers

U.K. funds, regulators want robust protections in place to stop breaches

Paulina Pielichata
  • Tweet
  • Share
  • Share
  • Email
  • More
    Reprints Print
    Louise Williamson
    Charles Shearn
    Louise Williamson said U.K. master trusts now are required to have strong measures to thwart hackers.

    Record keepers are under pressure from retirement plan trustees and regulators to protect participant data in the U.K. after several companies such as Tesco PLC and British Airways PLC became targets of cyberattacks.

    The European Union's General Data Protection Regulation catalyzed a heightened focus on cyber data theft in the U.K. Since 2018, the regulation has required companies that do business in the EU to shield their customers' private information. Failure to comply with GDPR rules could result in fines of up to 4% of a company's global revenues.

    To fend off cybersecurity attacks, sources said, record keepers have trained employees to respond to incidents and paid for system and software upgrades. Cyberrisk is an ever-growing risk, said Louise Williamson, risk and compliance manager at LifeSight, London, the £3.5 billion ($4.5 billion) defined contribution master trust of Willis Towers Watson PLC. Record keepers are now required by both trustees and The Pensions Regulator to take action in the event of cyberattacks, including an ongoing proactive review, she said.

    For example, to secure the U.K. regulator's permission to remain in the market beyond 2019 under the U.K. master trust regulation, master trusts have been, in addition to GDPR, required to get their own record keeping and their outsourced record keepers to adhere to the U.K. National Standards Body's information security standards and to report ongoing cyberincidents to trustees.

    Before granting authorization this summer, Ms. Williamson said, the regulator required master trusts to confirm that firewalls were installed; to share details of information security infrastructure; to confirm that reporting on cybersecurity to trustees was in place; and, where possible, to present evidence that systems have been tested according to standards such as the quality management system standard, ISO 27001.

    Retirement plan trustees also say they are employing a tougher audit of administration providers that are storing data on their participants. Trustees are ultimately obligated to report record-keeper data breaches within 72 hours of an incident to the U.K. Information Commissioner's Office.

    "The trustees are ultimately responsible for any data breach and nobody else," said Vassos Vassou, professional trustee at independent trustee firm Dalriada Trustees Ltd. in London.

    Mr. Vassou also wants to ensure that record keepers follow U.K. government standards that guide organizations on how to protect information systems against threats. Further, he wants to make sure that data workers are properly vetted and physical protections such as locks are in place.

    "We ask record keepers (annually) who are the individuals responsible for cybersecurity and what protections (firms) have in place as well as whether they comply with global standards such as the international information security standard known as ISO 27001 and the U.K. National Cyber Security Centre's Cyber Essentials certification," he said.

    Third-party providers

    Under the new master trust requirements, effective Nov. 5, master trusts are liable for the risks their participants' data is exposed to if personal data, such as bank account details and addresses, is held by external providers, sources said.

    Ian Bell, partner and head of pensions at audit and advisory firm RSM U.K. Group LLP, London, said in a telephone interview that "the bigger cyberrisk" is potentially not inside of the record-keeping firms themselves but in the multitude of subcontractors they are using and in "how the data is being moved between the providers."

    "We think the use of email to transfer data should be discouraged," Mr. Bell said, adding the firm is advising that data should be encrypted and online portals should be used.

    Dalriada's Mr. Vassou said the source of data, including the format in which data is arriving from third-party providers, is "a real risk," adding that he prefers online platforms that allow the participant data to be downloaded as opposed to sent via emails, which are targets for hackers.

    Mr. Vassou added that many record keepers use older technology more prone to cyberthreats. "When the data is transferred from one platform that is older to another, the risks are higher," he said. "We are working with record keepers to speed up their transition from old systems to new more secure systems."

    But Mr. Vassou also said that some record keepers and third-party providers did not share the details of what was learned from simulated data breaches.

    "Some firms could not tell us what gaps in security they have found during a simulated cyberattack," he said. "Instead they simply reassured us that work was undertaken to close those gaps," he said.


    Human error

    Sources also agreed that the human risk remains a major factor in record-keeping firms' cybersecurity. LifeSight's Ms. Williamson said that many of the data breaches happen due to a "human error" such as a dangerous email opened by an employee.

    To counter these attacks, "we conduct deliberate phishing exercises," she said.

    "For employees who fail these exercises because they opened a suspicious email, we send them to in-house training," she added.

    Record keepers should at the very least ensure that their employees are trained not to be a victim of an attack, said Girish Menezes, head of administration services at record-keeping firm Premier Pensions Management Ltd., who is also a board member of The Pensions Administration Standards Association in the U.K. He added that "malicious links or attachments are increasingly embedded into emails that look like genuine emails."

    However, for Mr. Menezes, record-keeping employee training is only half that battle because easy access for participants to their data creates cyberrisks as well.

    A biometric verification such as fingerprints could help record keepers to avoid that, he said.

    But for David Bird, LifeSight's head of proposition development, multiple devices can make access to the data safer. "We want participants to be able to access the data on mobile devices," he said.

    "We apply multifactor authentication," which requires receiving password via text to access the data on the computer, for example.


    Split processes

    To avoid cyberrisks, Mr. Menezes said his firm also splits workflows and has established processes in such a way that it is difficult for "staff to make mistakes."

    "At Premier, almost none of the critical staff has laptops," he said, adding that this means employees access the system through a locked-down computer rather than working from home. The firm's employees do not have access to all the information and systems but rather just the system that is connected to their respective workflow.

    LifeSight's Mr. Bird concurred. "In my role, I don't need to have access to member data, so I'm not able to see the data internally," he said.

    Mr. Bird added that Willis Tower Watson's staff works from registered laptops, which are authenticated from separate devices.

    Related Articles
    London funds call on cyberrisk assessment for investments
    Audit trail cybersecurity issues draw questions at Senate hearing
    Client retention, cybersecurity are big concerns for advisers – survey
    Recommended for You
    Generic_Commerical_Real_Estate_i.jpg
    Defined contribution plans moving into real estate – study
    Pedestrians_Business_i.jpg
    Workers' expectations about choosing when to retire unrealistic – study
    Calculator
    U.K. defined contribution sponsors resist ESG, private markets over fees
    Upside Ahead for Emerging Market Debt
    Sponsored Content: Upside Ahead for Emerging Market Debt
    Sponsored
    White Papers
    Exploring the Commercial Application of Artificial Intelligence
    Conflict Minerals: The human cost of our electronics
    Research for Institutional Money Management
    Private real estate entry points emerging amid selloff
    2023 Hot Topics in Retirement and Financial Wellbeing
    Bonds: Shaken, but Not Stirred
    View More
    Sponsored Content
    Partner Content
    The Industrialization of ESG Investment
    For institutional investors, ETFs can make meeting liquidity needs easier
    Gold: the most effective commodity investment
    2021 Investment Outlook | Investing Beyond the Pandemic: A Reset for Portfolios
    Ten ways retirement plan professionals add value to plan sponsors
    Gold: an efficient hedge
    View More
    E-MAIL NEWSLETTERS

    Sign up and get the best of News delivered straight to your email inbox, free of charge. Choose your news – we will deliver.

    Subscribe Today
    December 12, 2022 page one

    Get access to the news, research and analysis of events affecting the retirement and institutional money management businesses from a worldwide network of reporters and editors.

    Subscribe
    Connect With Us
    • RSS
    • Twitter
    • Facebook
    • LinkedIn

    Our Mission

    To consistently deliver news, research and analysis to the executives who manage the flow of funds in the institutional investment market.

    About Us

    Main Office
    685 Third Avenue
    Tenth Floor
    New York, NY 10017-4036

    Chicago Office
    130 E. Randolph St.
    Suite 3200
    Chicago, IL 60601

    Contact Us

    Careers at Crain

    About Pensions & Investments

     

    Advertising
    • Media Kit
    • P&I Custom Content
    • P&I Careers | Post a Job
    • Reprints & Permissions
    Resources
    • Subscribe
    • Newsletters
    • FAQ
    • P&I Research Center
    • Site map
    • Staff Directory
    Legal
    • Privacy Policy
    • Terms and Conditions
    • Privacy Request
    Pensions & Investments
    Copyright © 1996-2023. Crain Communications, Inc. All Rights Reserved.
    • Topics
      • Alternatives
      • Artificial Intelligence
      • Consultants
      • Defined Contribution
      • ESG
      • ETFs
      • Face to Face
      • Hedge Funds
      • Industry Voices
      • Investing
      • Money Management
      • Partner Content
      • Pension Funds
      • Private Equity
      • Real Estate
      • Regulation
      • SECURE 2.0
      • Special Reports
      • Washington
      • White Papers
    • Rankings & Awards
      • 1,000 Largest Retirement Plans
      • Top-Performing Managers
      • Largest Money Managers
      • DC Money Managers
      • DC Record Keepers
      • Largest Hedge Fund Managers
      • World's Largest Retirement Funds
      • Best Places to Work in Money Management
      • Excellence & Innovation Awards
      • WPS Innovation Awards
      • Influential Women in Institutional Investing 2023
      • Eddy Awards
    • ETFs
      • Latest ETF News
      • Fund Screener
      • Education Center
      • Equities
      • Fixed Income
      • Commodities
      • Actively Managed
      • Alternatives
      • ESG Rated
    • ESG
      • Latest ESG News
      • The Institutional Investor’s Guide to ESG Investing
      • ESG Sustainability - Gaining Momentum
      • ESG Investing | Industry Brief
      • Innovation in ESG Investing
      • 2023 ESG Investing Conference
      • ESG Rated ETFs
      • Divestment Database
    • Defined Contribution
      • Latest DC News
      • The Plan Sponsor's Guide to Retirement Income
      • DC Money Manager Rankings
      • DC Record Keeper Rankings
      • Innovations in DC
      • DC Plan Design: Improving Participant Outcomes
      • 2023 Defined Contribution East Conference
    • Searches & Hires
      • Latest Searches & Hires News
      • Searches & Hires Database
      • RFPs
    • Research Center
      • The P&I Research Center
      • Earnings Tracker
      • Endowment Returns Tracker
      • Corporate Pension Contribution Tracker
      • Pension Fund Returns Tracker
      • Pension Risk Transfer Database
    • Careers
    • Events
      • View All Conferences
      • View All Webinars