Is the pensions industry geared up for cyber-attacks and GDPR?

Business Insights

Robert Palmer, Partner at pensions specialist Quantum Advisory in Birmingham, looks into the increasingly important role of cyber security in the pensions industry:

Pension schemes, the vast sums of money in them, and the personal information they hold such as bank details and national insurance numbers, mean they are a key target for organised cybercrime units. 

Should a cyber-attack take place, which is looking ever more likely due to advances in technology, the consequences, which may go unnoticed for many years, could be catastrophic for the victims.

Real Threat

For too long this real threat has been overlooked by pension scheme trustees or put to the bottom of the ‘to do’ list, which is understandable given that trustees main priority is undoubtedly looking to manage increasing pension scheme deficits in this low interest rate environment. 

But now is the time that action needs to be taken. 

For the latter part of 2017, it is crucial that pension scheme trustees move cyber security to the top of their agenda and, if required, appoint sufficiently skilled cyber security experts to oversee and protect the confidential details they are responsible for.

Even the Pensions Regulator (TPR) is not immune to cyber-attacks and recently admitted that it has been on the receiving end of a partially successful ransomware attack but that it had blocked over 40,000 other attempts. 

This proves the industry is under attack and action needs to be taken sooner rather than later.

There is an asymmetry between what can be regarded as “success” for the two sides in this battle. 

The Trustees require a 100% record of non-breaches to be “successful”, whereas the hackers only need to be lucky once and they will have achieved their objective..

The best defence that trustees and their advisers can put up is to make a cyber-attack very difficult to succeed and hence motivate the attackers to go elsewhere for easier pickings. 

The key point is to layer the defence that is in place - the more barriers in place protecting the data, the less vulnerable you are to attack.


The cyber-threat is compounded further as trustees should also be planning for the new European Union’s General Data Protection Regulation (GDPR) that comes into force next May, and with it will come strict new rules about how such personal data is protected and huge fines for those that do not comply. 

Therefore, it makes perfect sense that trustees should invest time and money now to ensure they are not only compliant with the new rules, but also ahead of the game.

So what can the trustees do now?

“GDPR doesn’t come into effect until May 2018 so there’s plenty of time and nothing to worry about”. 


Companies shouldn’t be complacent. 

Although the fines don’t come into force until May 2018, regulations are in force now. 

The defence of ‘we didn’t do anything because we knew we wouldn’t be fined until May 2018’ will not play well in the glare of public opinion or in court. 

There is plenty that can be done which fall into four main areas:

  • Review all communications to members to ensure that the requests for personal information and the stated uses of the data are appropriate and clear.

  • Review the terms and conditions of advisers to ensure that the security of members’ personal data is inherent to the design of current and future systems / projects, including the risk of cyber-attacks to the data in transit; whilst it is being processed and at rest.

  • Develop a breach notification process. It is not defeatist to plan for the worst. Having a practical breach notification process in place will ensure that the disclosure of the breach to the relevant authorities and any corrective action, at least starts in a reactive and immediate fashion. There are very short timescales for reports to be made, hence the need for a smooth process.

  • Most processing of personal information is undertaken by suppliers to the Trustees and not the Trustees themselves. It is critical that Trustees have robust processes in place for identifying which suppliers have access to personal information and ensuring the accountability of their providers. This includes reviewing the terms and conditions of advisers to ensure that trustees are clear what advisers are contractually required to do with member data; and that this is consistent with what advisers actually do with the data.

There is not a ‘look on the bright side’ end to the article. 

The issues surrounding protection of data have little positive upside, as we are interested in avoiding a negative… children don’t regard mealtimes without sprouts as a positive. 

It is important to accept that this is a thankless task, but the consequences of failure mean this subject needs to be given a priority alongside funding and investment strategies for pension schemes.

Established in 2000, Quantum Advisory provides pension and employee benefits services to employers, scheme trustees and members from offices in Cardiff, Bristol, Amersham, Birmingham and London.

For more information about Quantum Advisory, please visit: 

Latest News