6th October 2016
In a nutshell
As lawyers, the biggest issue that we see when we discuss ‘cyber security’ with all types of organisations is often not ‘computer security’ but ‘people security’.
Organisations must make sure they have robust policies covering cyber / data security, data protection and IT and communications - which are communicated to employees so they are familiar with the rules and processes they are required to follow.
Trustees need to ensure that all cyber security risks are covered, both technology and staff, and further they must ensure that any agreements with third party IT service providers comply with the outsourcing requirements of the FCA handbook and that they actively manage and monitor their service providers.
Authors: Katherine Maxwell, Partner and Head of Employment, Moore Blatch and Dorothy Agnew, partner and cyber security expert, Moore Blatch
Research shows that 90% of large organisations have suffered a security breach and 25% of companies experience a cyber attack at least once a month. With pension companies holding a significant amount of sensitive and confidential member data including personal and financial details, it is no surprise that security experts have warned that ‘pensions data hack is an incident waiting to happen’.
So what do trustees need to consider?
Trustees, as data controllers, are responsible for the security of all member data and ensuring the handling of it is compliant under the Data Protection Act 1998. It is also important for trustees to understand that this responsibility also applies to any contracts with third parties for example third party administrators and employers, but also cloud computing providers.
As lawyers, the biggest issue that we see when we discuss ‘cyber security’ with all types of organisations is often not ‘computer security’ but ‘people security’. Whilst organisations can have the very best tech in place and invest heavily in new systems, the fact is that around a third of data security issues are people-based.
Data is scarce but, in 2014, a cyber claims study found that over a third (34%) of claims for data loss was down to people security, with 11% of the dataset being rogue employees; 10% for lost or stolen laptop devices; and 13% for staff mistakes. Add to this a further 5% for improper data collection, and almost 4 out of 10 (39%) of the claims are because of the user.
(Source: http://www.netdiligence.com/NetDiligence_2014CyberClaimsStudy.pdf )
Many organisations protect themselves from the usual business-critical blunders through the employee’s employment contract and making sure the company has appropriate policies and procedures in place. However, this is often not the case with data loss, as it is often not given the same priority, albeit the consequences to an organisation are just as serious as other high profile employment issues, such as inappropriate sexual or racial behaviour or financial misconduct which are costly and can damage the company’s reputation.
Organisations must make sure they have robust policies covering cyber / data security, data protection and IT and communications - which are communicated to employees so they are familiar with the rules and processes they are required to follow. Appropriate training should also be provided. Failure to ensure that data security is protected can put individuals at risk, cause them harm and distress, and result in a loss of reputation and prosperity to organisations. The Information Commissioner has the right to levy fines of up to £500,000 for a serious breach of data protection principles. The corporate fallout and financial implications can often be much more severe and broader in nature when cyber or data issues are involved. As the data controller, the organisation is responsible for making sure the confidentiality of the data they process is preserved.
While the primary consideration is ensuring that appropriate policies and procedures are in place to protect pension scheme information we would also advise putting in place policies on social media. In the context of pension schemes this is just good practice and ensures that a maverick, foolish or malicious member of staff does not use social media inappropriately in the context of the scheme and members. As such we would recommend policies on use of social networking sites including details of what constitutes damaging, or illegal communications such as posting confidential information on the scheme; how the scheme will monitor compliance with the policy; and the sanctions imposed for any breach of the policy.
This is critical for any business, as although the legal framework is still being developed, it is clear that businesses can face sanctions and private claims for cyber-security breaches. The ICO has heavily fined some companies that have been hacked due to a known security vulnerability, and a failure to protect confidential information due to a lack of adequate cyber-security can also be a breach of the common law duty of care, therefore amounting to negligence.
The Data Protection Act requires data controllers to have appropriate security to prevent personal data that they hold from being accidentally or deliberately lost, destroyed, damaged or compromised in some other way. The legislation does not define what security is “appropriate”, but any assessment of security measures should consider the consensus of opinion in the professions and industry about what constitutes good practice. For example, laptop computers holding sensitive personal data should be encrypted. Mobile telephones containing confidential data should also be passcode protected.
ISO 27001: 2013, which sets a standard for security management systems, is regularly cited by the ICO in enforcement decisions and regulatory guidance, and deals with such matters as Human Resource security.
Under the Data Protection Act, a trustee is defined as a data controller and therefore must take reasonable steps to ensure the reliability of any employees who have access to personal data. Policies should be reviewed regularly to ensure that they meet legal requirements and reflect best practice in this ever changing and evolving area.
A key consideration currently for many schemes is the use of cloud computing. From a regulatory perspective the cloud is much easier to understand if you work on the simple premise that you have to carry out all of the safeguards that you would assuming your computer data was held in your own office, rather than held remotely on servers provided by third party providers which can often be outside of the UK.
According to Cisco, cloud applications will account for 90% of global mobile data traffic by 2019. However, the cloud has raised regulatory issues and the Financial Conduct Authority (‘FCA’) has, for the first time, published proposed guidance for all financial service firms who wish to outsource to the cloud or other third party IT services. In doing so, the FCA aims to encourage innovation and ‘unlock’ the potential benefits of the cloud for firms, consumers and the wider market.
Whilst criticism has been levelled at the guidance for being slightly late (the US, for example, introduced such guidance a while ago), it does provide some clarification on how to outsource to the cloud safely and responsibly, and the FCA’s expectations when doing so, to both regulated firms and service providers.
The guidance sets out a non-exhaustive list of areas that should be considered throughout the entire life-cycle of the outsourcing contract. This begins with evaluating the suitability of the provider from a legal and regulatory point of view, and extends not only to the day to day management of the contract, such as ensuring adequate data protection and security, but also to establishing that it is able to exit the contract without undue disruption.
However, consideration of the guidance on its own may not be enough. The FCA considers that the use of cloud based services is a form of outsourcing, so regulated firms will still need to ensure that the terms they agree with service providers comply with the general outsourcing requirements contained in SYSC 8.1 of the FCA handbook.
In particular, the guidance highlights the need to comply with SYSC 8.1.8(9) in relation to providing effective access to the data and business premises of both the firm and the service provider by the firm and its regulators. However, the guidance clarifies that this does not necessarily mean access to all premises, but only those relevant for ‘effective oversight’. It also accepts that service providers may legitimately limit access to some sites, such as data centres, for security reasons.
In particular, whilst service providers should commit to providing and co-operating with regulator access, the guidance states that this access can be qualified so as to take place only when necessary under legal and regulatory requirements, and only at a time specified by the service provider or with reasonable notice (except in an emergency or crisis situation).
Consultation on the guidance has now closed and whilst there is still room for improvement, for example, clarity on the scope of the guidance (such as what amounts to ‘other third party IT services’), there is now transparency on how the ‘cloud’ should be treated in the context of existing FCA regulatory requirements. It is helpful that the FCA has finally stated that there is no fundamental reason why such cloud based providers should not be utilised, and provides a helpful checklist of issues that need to be considered when entering into and maintaining such an arrangement.
The FCA’s guidance provides a helpful checklist of issues that regulated firms should consider when outsourcing to the cloud or other third party IT services:
Legal and regulatory considerations
Oversight of service provider
Data Protection Act 1998
Effective access to data
Access to business premises
Relationship between service providers
Continuity and business planning
Resolution (where applicable)
In summary, trustees need to ensure that all cyber security risks are covered, both technology and staff, and further they must ensure that any agreements with third party IT service providers comply with the outsourcing requirements of the FCA handbook and actively managed and monitored.
 PricewaterhouseCoopers (PwC) 2015 Information Security Breaches Survey, conducted on behalf of the Department for Business, Innovation and Skills
 Cyber Security Breaches Survey 2016 commissioned by the Department for Culture, Media and Sport (DCMS)
 Monica Cope, chief operating officer at finance IT firm Veratta as quoted in Daily Mail - http://www.thisismoney.co.uk/money/pensions/article-3344301/Is-pension-data-safe-Security-expert-issues-hack-warning.html