With cyber threats evolving rapidly, the Pensions Administration Standards Association (PASA) has urged trustees, administrators, and providers to adopt a "proactive and dynamic" approach to data, sharing new guidance on improving data security and governance.

The association argued that ensuring robust data security is not just a regulatory necessity, but is “fundamental” to maintaining trust and confidence in pension schemes.

“Protecting sensitive member data isn’t just about mitigating risks; it's about safeguarding the integrity of the scheme and the peace of mind for all involved,” it said.

As schemes become increasingly reliant on data in decision-making and member service delivery, the guidance aims to strengthen data security, future-proof administration, and support robust scheme governance in response to the growing threat of cyberattacks and identity fraud.

Specifically, it offers practical and accessible advice on improving data security and governance, addressing topics such as third-party oversight, responsible AI usage, cyber resilience, and secure communications to enhance data management.

The guidance also outlined practical measures, such as implementing role-based access controls and multi-factor authentication, assessing and overseeing third-party vendors, conducting regular security evaluations, and incorporating these actions into the Effective System of Governance (ESOG) and Own Risk Assessments (ORA) frameworks.

It also recommended that providers and trustees create incident response plans and data communication strategies, as well as prepare for potential risks associated with emerging technologies such as AI.

PASA Data Working Group chair, Kristy Cotton, argued that trustees and providers are custodians not only of member benefits, but of highly sensitive personal data.

“Data breaches and cyber-attacks are no longer abstract threats; they’re real, frequent and growing,” Cotton said.

“This guidance equips schemes with the tools to assess, protect and respond to data security risks, while embedding a culture of awareness across all stakeholders.”

Adding to this, PASA chair, David Fairs, said the guidance aims to enhance schemes' confidence in their controls, ensuring they are taking appropriate and proactive measures.

---