Leading magazine Pensions Expert this week wrote a piece highlighting the issue of pension information security – but what should scheme sponsors and trustees be asking of their analytics providers in order to ensure their data remains confidential?
On the same day that ebay announced that 233 million of its users worldwide could be at risk of identity theft after their personal data were stolen in the world’s biggest online security breach, Pensions Expert looked at the issue of pension information security in this article.
It is likely that, to date, information security has been a concern somewhat overlooked by the pensions community – this despite an increasing number of schemes housing their data online, driven in part by consultants moving from providing paper- or spreadsheet-based valuations and reporting to web-based analytics programmes. While such systems are a welcome step forward in the evolution of pension risk management, schemes must ensure that they perform due diligence on the third party software provided if they are to mitigate the risk of significant security breaches. So what should sponsors and trustees be asking of their technology providers?
Pensions Expert rightly makes the point that “trustees could request to see proof their provider is aligned or certified to the global ISO27001/ISO27002 standards, which were developed to provide a model for maintaining and improving information security management systems”. This should be the first step. Beyond this, reputable providers of technology – whether this is advisers, consultants or specialist FinTech firms – should also be doing their own due diligence, and implementing policies and procedures to ensure that information security is adopted and policed throughout their organisations.
Regular information security awareness training, adequate vetting of third-party suppliers and thorough security tests are important building blocks of a holistic approach to the issue. In particular, providers should be regularly exposing their software to penetration testing, which involves employing an external independent party to try and professionally hack the system. A thorough approach would test security from both the outside (i.e. can the hackers get past the initial defence systems?) and from the inside (i.e. once let past the log-in page are they able to access other clients’ data etc?). At this stage, such tests will also review the vulnerability of the software to hackers corrupting, harvesting or monitoring data (via embedding spyware-like programmes).
With the world’s eye turning to the issue of information security, now is the time for the pension industry to make sure that its own house is in order.