The Plan holds large amounts of personal information about our members and other assets which can make us a target for fraudsters and criminals. We are taking steps to protect our members and assets accordingly, which involves putting in protective measures against cyber risk. This is an issue which The Pensions Regulator (TPR) is asking all trustees and scheme managers to address, regardless of the size or structure of their particular scheme.
Cyber risk is broadly defined as the risk of loss, disruption or damage to a scheme or its members as a result of the failure of its information technology systems and processes. It includes risks to information (data security) as well as assets, and both internal risks (e.g. from staff) and external risks (e.g. hacking).
We are taking steps to build our cyber resilience – our ability to assess and minimise the risk of a cyber incident occurring, but also to recover when an incident takes place. We are collaborating with all relevant parties (including our third party service providers) to define our approach to managing this risk, in line with guidance provided by TPR and other industry experts.
To date we have implemented the following measures:
- Two stage authentication for access to the Trustee library (which contains historical information about the pension scheme);
- Improved security for the devices that the Trustees use to manage scheme information;
- A more robust password regime for protecting sensitive Plan electronic information;
- An electronic signature approval system;
- Dedicated Trustee email accounts;
- Annual cyber awareness training for Trustee Directors; and
- Governance processes to manage cyber protection, incident response, password management and emails. These are reviewed and updated at least annually to ensure that the latest cyber protection protocols are incorporated.
Our next steps will include assessments of the cyber protection measures that our third party service providers have in place, to ensure that Plan information is adequately protected, no matter where it is held.