As an investment professional I am used to traditional risk categories like equities, interest rates, inflation and the like. Now it seems we will have to add information security risk to that list. With the new data protection rules coming in and so much data online, our board has decided to inform itself about what it should do.
So the trustees asked their favoured strategy consultants, Lars and Paul, who also happen to be retained by our sponsor, to come in and deliver a workshop on information security.
‘The GDPR rules will affect pension funds as well as other parts of the economy,’ Paul warns us in a seminar specially set up for us. ‘Pension funds are a weak link, with small management structures, old IT systems and a lack of understanding of cybersecurity.’
Lars notes that pension funds are responsible for one in 10 of all data breaches reported to the Dutch data protection authorities. A lot of this turns out to be down to wrongly addressed mail it seems, however.
Then Paul chimes in on cybersecurity. ‘As a pension fund, Wasserdicht is also a weak spot in the Dutch information security ecosystem,’ he says. Apparently we need to set up policies on passwords, staff laptops and breach notification.
Rolf, our trustee chairman, points out that he can hardly remember which password he uses for what website.
A few weeks later, Rolf sends round an email to tell us that Connie, another one of our trustees, has been appointed head of information security. ‘We are sending a signal with this board-level appointment that we take this topic extremely seriously,’ Rolf says in his email.
I agree. Connie is a good and well-qualified trustee. Although she doesn’t have a smartphone and certainly does not use social media, I am sure she will get to grips with the issues.
Pieter Mullen is investment director at Wasserdicht Pension Funds