Record keepers are under pressure from retirement plan trustees and regulators to protect participant data in the U.K. after several companies such as Tesco PLC and British Airways PLC became targets of cyberattacks.
The European Union's General Data Protection Regulation catalyzed a heightened focus on cyber data theft in the U.K. Since 2018, the regulation has required companies that do business in the EU to shield their customers' private information. Failure to comply with GDPR rules could result in fines of up to 4% of a company's global revenues.
To fend off cybersecurity attacks, sources said, record keepers have trained employees to respond to incidents and paid for system and software upgrades. Cyberrisk is an ever-growing risk, said Louise Williamson, risk and compliance manager at LifeSight, London, the £3.5 billion ($4.5 billion) defined contribution master trust of Willis Towers Watson PLC. Record keepers are now required by both trustees and The Pensions Regulator to take action in the event of cyberattacks, including an ongoing proactive review, she said.
For example, to secure the U.K. regulator's permission to remain in the market beyond 2019 under the U.K. master trust regulation, master trusts have been, in addition to GDPR, required to get their own record keeping and their outsourced record keepers to adhere to the U.K. National Standards Body's information security standards and to report ongoing cyberincidents to trustees.
Before granting authorization this summer, Ms. Williamson said, the regulator required master trusts to confirm that firewalls were installed; to share details of information security infrastructure; to confirm that reporting on cybersecurity to trustees was in place; and, where possible, to present evidence that systems have been tested according to standards such as the quality management system standard, ISO 27001.
Retirement plan trustees also say they are employing a tougher audit of administration providers that are storing data on their participants. Trustees are ultimately obligated to report record-keeper data breaches within 72 hours of an incident to the U.K. Information Commissioner's Office.
"The trustees are ultimately responsible for any data breach and nobody else," said Vassos Vassou, professional trustee at independent trustee firm Dalriada Trustees Ltd. in London.
Mr. Vassou also wants to ensure that record keepers follow U.K. government standards that guide organizations on how to protect information systems against threats. Further, he wants to make sure that data workers are properly vetted and physical protections such as locks are in place.
"We ask record keepers (annually) who are the individuals responsible for cybersecurity and what protections (firms) have in place as well as whether they comply with global standards such as the international information security standard known as ISO 27001 and the U.K. National Cyber Security Centre's Cyber Essentials certification," he said.