Pension trustees feel “out of their depth” on data protection and cybersecurity issues, according to a recent survey.

UK audit firm Crowe Clark Whitehill surveyed 145 pension professionals on risk management issues and found a split in opinion as to the importance of cybersecurity.

Data protection and cybersecurity issues ranked in the top five risk concerns, behind funding volatility, employer covenant strength, and investment issues.

However, Crowe Clark Whitehill identified a “significant difference in views between small and large schemes”.

Small schemes – defined as having less than £100m (€110.5m) in assets – were more likely to outsource activities to third parties, the audit firm said, and so would expect these parties to be responsible for data security.

Respondents responsible for defined contribution funds were more concerned about the issue than their counterparts running defined benefit schemes, the survey showed.

Eddie Hodgart, risk and assurance director at Crowe Clark Whitehill, said: “There is an awareness within schemes that the personal data that they hold is a valuable commodity and that they need to act to ensure that their members’ information is protected.

“However, while most trustees are comfortable managing financial and regulatory risks, many feel out of their depth with non-traditional risks such as cybersecurity. More work is needed to educate pension trustees on managing non-traditional risks which impact pension schemes.”

The findings follow a major cyberattack that hit UK institutions including the National Health Service earlier this year. The incident raised concerns about firms’ awareness of data security.

Today, the UK’s Department for Digital, Culture, Media and Sport (DCMS) announced that it would be adopting the EU’s General Data Protection Regulation (GDPR) into its law book.

GDPR is set to come into force in May next year. The rules specify 11 mandatory clauses to be included in contracts with third parties governing the protection of data, as well as a range of other measures.

Leanne Oddy, associate at law firm Addleshaw Goddard, said it was “very unlikely that existing contracts will contain all of the mandatory clauses and trustees/managers will therefore need to conduct a contract review and seek amendments”.

“Trustees/managers need to review processes to ensure that data breaches can be detected, isolated, reported and remedied appropriately and would be well advised to document these processes,” Oddy added.

A “robust” cybersecurity policy was likely to become a key document for pension schemes, she said.

“May 2018 may seem like a long time away,” Oddy said. “However, a significant number of actions need to be taken and agreement reached with various third parties and trustee/managers should therefore prioritise GDPR now.” 

A statement from DCMS said its planned new data protection bill would make companies handling data “more accountable… with the priority on personal privacy rights”.

“Those organisations carrying out high-risk data processing will be obliged to carry out impact assessments to understand the risks involved,” the DCMS said.