This blog is from Mark Bambury, a fine actuary who I worked with 12 years ago. It raises important questions about how we protect our data.
Lessons from history
I have some papers at home from my French wife’s Great Grandfather; a cavalry officer who is receiving advice and orders from his government, dated November 1914, early in the first World War. They are fascinating reading, and as a strategic risk and pensions investment professional, I admire greatly the thought process in the letter.
The Minister of War calculates the losses in the trenches, and concludes that with the current status quo, and German technology, France will run out of man-power faster than Germany. He recognizes that France is in a bad place strategically, but then offers an audacious long term solution. The order is given to circulate the men at the front to enable meetings with “wives and girlfriends” regularly enough to ensure a steady future supply of soldiers. Arguably, avoiding a “generational gap” that helped France later in the second world war.
For me, the papers encapsulate many concepts that pension professionals will recognise; a quantification of future scenarios/outcomes; gauging the impact of technology; understanding asset management and growth; and thinking in generational timeframes. There is also a practical solution to a problem, and time is not lost in implementation.
We are on a different battlefield today, and I use the term advisedly. This is one of the reasons why GCHQ are behind the Cyber Essetntials scheme (C.E). I am concerned that the kind of letter written in 1914 has not yet filtered down to our industry. CE provides a checklist of actions, designed and updated by GCHQ for organisations to stay safe in todays’ connected world. Getting CE certified means that one is protected from up to 80% of common on-line threats.
To return to the military theme, the M.O.D. are taking this one step further by insisting that all suppliers carry “CE plus” certification. They are also insisting that this is done quickly. The worry that they are addressing is that the “baddies” can enter your systems indirectly through a weak link in the supply chain. Trustees should read that last sentence twice. The MOD mandate cyber essentials plus to their suppliers, even given the big names and professionalism of those involved. Where is the push from the pension community to do the same? And when did you last map your supply chain? We will come back to this point as we are still at the thin end of the wedge.
If someone was looking after my money, I would want them to meet this minimum CE standard. (Or insist on a benchmark that can’t be underperformed if you prefer the investment management parlance). Especially as certification is a low-cost exercise with no performance drag issues, and that there is even the opportunity to reduce insurance premiums. Obviously, for most managers, banks and so on this exercise should be both second nature and one would hope an easy hurdle to jump. But we are looking for weak links, and forcing CE plus compliance on those that we deal with this will flush these out.
I mentioned the thin edge of the wedge earlier on, as we must overlay cyber security with a true, non-trustee influenced compliance issue. We are currently legally obliged to comply with the new general data protection regulations (GDPR). We will be open to punitive fines from May 2018. In the corporate world, this is up to 20% of global turnover. Lawyers that I talk to discuss lighthouse prosecutions on the horizon; I would not want this to fall on the pension industry. I don’t think that trust based structures were at the heart of the legislation design, and I could see a proverbial and unproductive bun fight between stakeholders if there is a pensions failure. As an aside, and contrary to popular belief, the current Brexit debate does not make a legal difference here. The work needed to be CE certified and GDPR compliant overlap; actions needed are complementary but are not the same.
If our French Minister of War in 1914, was writing today, what would he order? He would be calculating future outcomes, however long term and uncertain, and be striving to understand the impact of technology. He would also keep his eye on his assets’ health and growth, and develop practical solutions to perceived weakness. If he could have seen the number and extent of cyber and IT related issues that we have to deal with today, I could see his well-oiled moustache twitching with impatience to implement his strategy, and insist that everyone uses their positions of power to make things change yesterday.
With the benefit of hindsight, the French Government needed a little bit of help from some friends to sway things. No bad thing to have friends, and that’s what GCHQ is offering to the pensions industry.
To be clear, I do not work for GCHQ, but I can point anyone interested in the right direction to help work through GDPR and Cyber Essentials. There are other service providers available to do this too, but in the grander scheme this is not important, let’s just keep each other safe on the current battlefield.
If you want to contact Mark Bambury to find out more about his work, he can be reached at Mark Bambury firstname.lastname@example.org