Cybersecurity and the protection of member data has shot right to the top of trustee risk registers.

Many trustees will have had detailed training leading up to the introduction of GDPR in May 2018 and will have been through a wholesale review of their contracts, policies and procedures.

There is a risk that some of the training may be a little rusty. In particular, I find myself pushing trustees to re-run their response training so they are on the front foot when a breach occurs. And unfortunately, it is ‘when’, not ‘if ’.

Attacks always seem to happen on a Friday evening, there is never enough information and it is stressful.

A simple plan helps navigate first interactions, gives structure to the discussions and increases the chances of making good decisions over whether ICO notification is needed within the 72-hour deadline.

This includes confirming facts such as who is impacted, implementing the response plan, establishing who needs to know what and determining remediation.

The plan should also make sure that the increased focus on member data doesn’t obscure other priorities such as running payroll, member transactions and good governance.

Any real-life threat along these lines will be difficult to deal with, but training and a robust response plan will give structure and help to alleviate stress

Share Story: