Cyberattack potential puts pressure on record keepers

Record keepers are under pressure from retirement plan trustees and regulators to protect participant data in the U.K. after several companies such as Tesco PLC and British Airways PLC became targets of cyberattacks.

The European Union's General Data Protection Regulation catalyzed a heightened focus on cyber data theft in the U.K. Since 2018, the regulation has required companies that do business in the EU to shield their customers' private information. Failure to comply with GDPR rules could result in fines of up to 4% of a company's global revenues.

To fend off cybersecurity attacks, sources said, record keepers have trained employees to respond to incidents and paid for system and software upgrades. Cyberrisk is an ever-growing risk, said Louise Williamson, risk and compliance manager at LifeSight, London, the £3.5 billion ($4.5 billion) defined contribution master trust of Willis Towers Watson PLC. Record keepers are now required by both trustees and The Pensions Regulator to take action in the event of cyberattacks, including an ongoing proactive review, she said.

For example, to secure the U.K. regulator's permission to remain in the market beyond 2019 under the U.K. master trust regulation, master trusts have been, in addition to GDPR, required to get their own record keeping and their outsourced record keepers to adhere to the U.K. National Standards Body's information security standards and to report ongoing cyberincidents to trustees.

Before granting authorization this summer, Ms. Williamson said, the regulator required master trusts to confirm that firewalls were installed; to share details of information security infrastructure; to confirm that reporting on cybersecurity to trustees was in place; and, where possible, to present evidence that systems have been tested according to standards such as the quality management system standard, ISO 27001.

Retirement plan trustees also say they are employing a tougher audit of administration providers that are storing data on their participants. Trustees are ultimately obligated to report record-keeper data breaches within 72 hours of an incident to the U.K. Information Commissioner's Office.

"The trustees are ultimately responsible for any data breach and nobody else," said Vassos Vassou, professional trustee at independent trustee firm Dalriada Trustees Ltd. in London.

Mr. Vassou also wants to ensure that record keepers follow U.K. government standards that guide organizations on how to protect information systems against threats. Further, he wants to make sure that data workers are properly vetted and physical protections such as locks are in place.

"We ask record keepers (annually) who are the individuals responsible for cybersecurity and what protections (firms) have in place as well as whether they comply with global standards such as the international information security standard known as ISO 27001 and the U.K. National Cyber Security Centre's Cyber Essentials certification," he said.

Under the new master trust requirements, effective Nov. 5, master trusts are liable for the risks their participants' data is exposed to if personal data, such as bank account details and addresses, is held by external providers, sources said.

Ian Bell, partner and head of pensions at audit and advisory firm RSM U.K. Group LLP, London, said in a telephone interview that "the bigger cyberrisk" is potentially not inside of the record-keeping firms themselves but in the multitude of subcontractors they are using and in "how the data is being moved between the providers."

"We think the use of email to transfer data should be discouraged," Mr. Bell said, adding the firm is advising that data should be encrypted and online portals should be used.

Dalriada's Mr. Vassou said the source of data, including the format in which data is arriving from third-party providers, is "a real risk," adding that he prefers online platforms that allow the participant data to be downloaded as opposed to sent via emails, which are targets for hackers.

Mr. Vassou added that many record keepers use older technology more prone to cyberthreats. "When the data is transferred from one platform that is older to another, the risks are higher," he said. "We are working with record keepers to speed up their transition from old systems to new more secure systems."

But Mr. Vassou also said that some record keepers and third-party providers did not share the details of what was learned from simulated data breaches.

"Some firms could not tell us what gaps in security they have found during a simulated cyberattack," he said. "Instead they simply reassured us that work was undertaken to close those gaps," he said.

Sources also agreed that the human risk remains a major factor in record-keeping firms' cybersecurity. LifeSight's Ms. Williamson said that many of the data breaches happen due to a "human error" such as a dangerous email opened by an employee.

To counter these attacks, "we conduct deliberate phishing exercises," she said.

"For employees who fail these exercises because they opened a suspicious email, we send them to in-house training," she added.

Record keepers should at the very least ensure that their employees are trained not to be a victim of an attack, said Girish Menezes, head of administration services at record-keeping firm Premier Pensions Management Ltd., who is also a board member of The Pensions Administration Standards Association in the U.K. He added that "malicious links or attachments are increasingly embedded into emails that look like genuine emails."

However, for Mr. Menezes, record-keeping employee training is only half that battle because easy access for participants to their data creates cyberrisks as well.

A biometric verification such as fingerprints could help record keepers to avoid that, he said.

But for David Bird, LifeSight's head of proposition development, multiple devices can make access to the data safer. "We want participants to be able to access the data on mobile devices," he said.

"We apply multifactor authentication," which requires receiving password via text to access the data on the computer, for example.

To avoid cyberrisks, Mr. Menezes said his firm also splits workflows and has established processes in such a way that it is difficult for "staff to make mistakes."

"At Premier, almost none of the critical staff has laptops," he said, adding that this means employees access the system through a locked-down computer rather than working from home. The firm's employees do not have access to all the information and systems but rather just the system that is connected to their respective workflow.

LifeSight's Mr. Bird concurred. "In my role, I don't need to have access to member data, so I'm not able to see the data internally," he said.

Mr. Bird added that Willis Tower Watson's staff works from registered laptops, which are authenticated from separate devices.