Schemes using online data analytics systems to inform investment and risk-management decisions have been urged by system providers to put in place governance procedures to ensure data security.
More defined benefit schemes have started to monitor their assets and liabilities using live modellers to inform investment decisions over the past three years, with a survey of global institutional asset owners earlier this year finding 83 per cent had increased investment in data analytics.
How trustees can avoid a data breach:
Ensure there is a contract in place with the vendor that sets out the its obligations.
Confirm whether information will be stored offsite and where that will take place.
Make sure the vendor is certificated by asking for third-party references.
Leakage of member data is the most obvious risk posed to schemes using web-based systems to model data, said Matthew Seymour, managing director at technology provider PensionsFirst, which has an analytics programme called Pfaroe.
Normally, the use of this type of technology would involve significant audits, yet this is not happening, Seymour said.
“Clearly with anything made available on the internet there are many more people that have the opportunity to [hack] into that information,” said Seymour. “Within a pension there will be some particularly sensitive information.”
Schemes could be vulnerable to reputational risk if their data are compromised, even if the data are relatively anonymised.
Seymour said in his experience schemes only carry out a thorough assessment of the system once they have procured it.
Instead, employers could get their IT teams involved by carrying out an adequate assessment of the data analytics system before procuring it.
“It’s really making sure they are performing the necessary due diligence of the analytics providers prior to agreeing to have their information being made available by them,” said Seymour.
Trustees could request to see proof their provider is aligned or certified to the global ISO27001/ISO27002 standards, which were developed to provide a model for maintaining and improving information security management system.
“[Schemes] need to understand how the data’s held, where it is held [and] how it’s built up, who’s got access to it, how does it get used,” said Raj Mody, head of UK pensions at consultancy PwC, which released its analytics tool Skyval last year.
“It would be useful and valuable for schemes to understand exactly how the inputs that are provided to the system are managed and how they’re used to generate outputs,” he said.
Without understanding this, a scheme cannot be sure of how reliable the data generated are, Mody added.
Penalties for non-compliance
In accordance with the Data Protection Act 1998, schemes have an obligation to take appropriate measures to preserve the security of data.
Schemes that have not carried out the necessary due diligence could be liable for a fine of up to £500,000 from the Information Commissioner.
In 2012, the ICO fined Scottish Borders Council £250,000 after former employees’ pension records were found in an overfilled paper recycling bank in a supermarket car park.
The measures a scheme would be expected to take would be in proportion to its resources, said Richard Cumbley, partner at law firm Linklaters.
“The point for the trustee is to realise that they’re always going to be in the firing line whatever; whether the software provider is [as well] depends on how the trustees are set up with the provider,” he said.
