These are tough times – we’re all lucky that financial services were already moving in a remote-working and online direction, but there is a huge variation in the level of readiness. Organisations with a robust Business Continuity Plan (BCP), rigorous internal controls and a track record of investment in information security are best placed to face the cyber security challenges, but this is a joined-up world with multiple interdependencies. The pension payment system depends on payroll, BACs, banking, and HMRC systems. Death benefit administration depends on insurance and banking systems. Everything depends on member communications and an effective replacement for the postal system. When the world needs to move quickly, there’s a strong temptation to take just that little bit more risk to get things done, but predators old and new are still stalking our pension schemes, so the control
environment matters now more than ever.
Internal controls and the kitchen table
Effective internal controls around information technology, cyber risk and data management are about more than passwords and firewalls. There are a whole range of behavioural and technological activities that threaten data security and the controls need to be as effective at a thousand makeshift kitchen table workstations as they are under the organisation’s roof. A few of these are worth thinking about in detail to look at if/how they translate to the home environment.
Physical access to computer equipment, computer networks and documentation
When Police Scotland presented at a Scottish PMI Regional Group seminar on cyber crime, everyone in the room was struck by how successfully criminals could access an office environment to target organisations and identities. The office is always on the lookout for tailgaters, but a friendly contract cleaner with a camera phone could surreptitiously photograph documents on desks as he made his way through the room, gathering up member and banking details in his wake.
Living under lockdown, most offices will now be both people and paper free, but that doesn’t mean the physical access risk goes away – it just shifts to those one thousand kitchens, one thousand recycling bins and whatever a motivated data miner is able to find there. If staff can print member data at home, they can also leak it. Maybe people have shredders, maybe they don’t; maybe people with shredders will routinely shred every document, maybe they won’t. Either way, the organisational control has been taken out of the equation.
Faced with so much potential risk in such uncertain times, the absolute best control is to lock the system down, with no at-home printing, no memory sticks, discs or other removable media. Only those staff with a legitimate and pressing business need should be granted controlled access rights to plug-in devices such as home printers, and then only in very limited circumstances. There’s a convenience cost, but it’s one worth paying.
Appropriate measures are implemented to counter the threat from malicious attack –a recent estimate quoted social engineering, “the act of manipulating or tricking people into certain actions including divulging personal or financial information” as being behind 98% of cyber threats under corona. Basically, these are boom times for cyber crime.
It may be manning the firewalls but the vigilant cyber-hygiene and collective good sense of the office quickly crumble in a crisis situation. People are at home, keeping calm and carrying on, but all the time hungry for news and comfort. Bugs, malware and ransomware are lurking in official looking COVID-19 updates and websites. Social media is rife with links appearing to offer distraction and reassurance. People are much more prone to taking online risks as their offline world shrinks. It’s a perfect data security storm.
Again, the best control is a system lockdown that breaks the link between the remote workstation and the wider world – social media and open browsing are incompatible with data security. An effective lockdown approach on systems leaves your IT security systems free to focus on your business and your clients rather than the non-stop assaults of the dark web.
Data transmissions between the organisation and its counterparties are secure
This is what it all comes down to. Data, large and small, still needs to move between organisations, IDs need to be verified, payments authorised, and communications issued. In current circumstances, the months and years of planning that go into data interface policies are necessarily condensed into weeks, and policy is converting to practice in real time.
At the practical level, where large-scale data is exchanged with employers, insurers, payroll, etc, secure exchange mechanisms are already in place across the pension and wider financial industries and these translate fairly seamlessly to the home working environment. That level of interface security is just the day job. The more challenging aspect is likely to be around exchanging data with individuals so that benefit administration keeps moving, and this is going to call for immediate online solutions.
Again, the best control is a system lockdown that breaks the link between the remote workstation and the wider world – social media and open browsing are incompatible with data security.
Most Third Party Administrators will already have member online options in place but take-up can be challenging, especially for Defined Benefit (DB) schemes where data is more static and there’s often a trustee attachment to ‘how things have always been done’. Part-paternalistic and part-protective instincts towards members, the ‘little old lady factor’ and a worry that the all-important ‘personal touch’ will somehow be lost, have all traditionally played a role in the relatively slow adoption of online services.
With members stuck at home, paper-based communications are disappearing, so even a ‘no bells, no whistles’ secure online platform will keep the communication channels open until the present storm passes. Trustees are no longer asking themselves whether they want to offer members online access, they’re asking the industry exactly how fast we can deliver it.
Notes/Sources
This article was featured in Pensions Aspects magazine May 2020 edition.
Last update: 13 July 2020