Does “cybersecurity” leave you cold?
Tuesday, May 1, 2018
cybersecurity, IT, infrastructure, GDPR, implementation, data privacy
Print Mail Download i

If I ever claimed to be an expert on IT systems and processes, those who work in our firm’s IT department would struggle to contain their amusement.

Along with many other forty-somethings, I am a proficient user of IT at work and at home – until something goes wrong. Then I find it frustrating because I realise that I am pretty clueless about how everything really works; in fact, I need an expert to put it right so that I can go back to pressing buttons and swiping screens to my heart’s content. I suspect that many pension plan trustees are in a similar place.

The Pensions Regulator’s recent guidance on cybersecurity leaves me feeling cold because it confirms the stark reality that one weak link in any chain may spell reputational or financial disaster for a pension plan. It seems like a very difficult thing to protect against.

Building cybersecurity “resilience” and understanding the cybersecurity footprint requires more IT expertise than most trustee boards possess as a group. The threat is not new of course – some trustee boards will already have made considerable steps towards understanding how their data is protected and how their IT systems are tested and maintained. The advent of GDPR has also helped to force attention on data security.

The Pensions Regulator makes it clear that cyber risk “is an issue which all trustees and scheme managers, regardless of the size or structure of their scheme should be alert to.” Trustees are accountable for the security of data and scheme assets, even where day to day functions are outsourced. Cybersecurity should be an integral part of the scheme’s internal controls processes, it should be considered when selecting third party suppliers and suitable provisions should be included in contracts.

“The cyber risk is complex and evolving, and requires a dynamic response. Your controls, processes and response plan should be regularly tested and reviewed. You should be regularly updated on cyber risks, incidents and controls, and seek appropriate information and guidance on threats.”

I suggest that trustees read and consider the cybersecurity guidance and add it to the agenda for the next meeting to assess where they stand in relation to TPR’s expectations. Access to IT experts is likely to be required and independent assessment may be appropriate. But given that I am not a computer “geek”, I will leave it there…

© Copyright 2024 Squire Patton Boggs (US) LLP

Current Legal Analysis

More from Squire Patton Boggs (US) LLP

Workplace Harassment in Germany: Questions Over Compensation
by: Anna-Maria Hesse
When the EDPB is Weaponized, It Is Our Privacy That Is at Risk
by: Charles-Albert Helleputte
The Ohio Supreme Court Updates its Writing Manual
by: Appellate & Supreme Court Group Squire Patton Boggs
The General Code in Bite-Sized Chunks ­– Proportionality is the Special Ingredient
by: Matthew Giles
Relying on CAFA's Discretionary "Home-State" Exception, Federal Court Punts Data Breach Class Action Back to State Court
by: Amy Brown Doolittle , Katherine A. Spicer
Why the Taylor Swift AI Scandal is Pushing Lawmakers to Address Pornographic Deepfakes
by: Susie Ruiz-Lichter
The Potential Mushroom Effect of the USPTO’s Mushrooming Patent Application Fees
by: Woli I. Urbe , Frank L. Bernstein
The USPTO Re-Explains What “Means” Means
by: Frank L. Bernstein
Singapore Progresses Towards Amended Cybersecurity Law
by: Charmian Aw
UK Litigation Funding Post PACCAR – Tying up Loose Ends
by: Helena Clarke , Rachael Markham

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins