If GCHQ have a strategy, and the M.O.D. insist on it, why wouldn’t Pension Trustees adopt it too?

This blog is from Mark Bambury, a fine actuary who I worked with 12 years ago. It raises important questions about how we protect our data.

Lessons from history

I have some papers at home from my French wife’s Great Grandfather; a cavalry officer who is receiving advice and orders from his government, dated November 1914, early in the first World War. They are fascinating reading, and as a strategic risk and pensions investment professional, I admire greatly the thought process in the letter.

The Minister of War calculates the losses in the trenches, and concludes that with the current status quo, and German technology, France will run out of man-power faster than Germany. He recognizes that France is in a bad place strategically, but then offers an audacious long term solution. The order is given to circulate the men at the front to enable meetings with “wives and girlfriends” regularly enough to ensure a steady future supply of soldiers. Arguably, avoiding a “generational gap” that helped France later in the second world war.

For me, the papers encapsulate many concepts that pension professionals will recognise; a quantification of future scenarios/outcomes; gauging the impact of technology; understanding asset management and growth; and thinking in generational timeframes. There is also a practical solution to a problem, and time is not lost in implementation.

We are on a different battlefield today, and I use the term advisedly. This is one of the reasons why GCHQ are behind the Cyber Essetntials scheme (C.E). I am concerned that the kind of letter written in 1914 has not yet filtered down to our industry. CE provides a checklist of actions, designed and updated by GCHQ for organisations to stay safe in todays’ connected world. Getting CE certified means that one is protected from up to 80% of common on-line threats.

To return to the military theme, the M.O.D. are taking this one step further by insisting that all suppliers carry “CE plus” certification. They are also insisting that this is done quickly. The worry that they are addressing is that the “baddies” can enter your systems indirectly through a weak link in the supply chain. Trustees should read that last sentence twice. The MOD mandate cyber essentials plus to their suppliers, even given the big names and professionalism of those involved. Where is the push from the pension community to do the same? And when did you last map your supply chain? We will come back to this point as we are still at the thin end of the wedge.

If someone was looking after my money, I would want them to meet this minimum CE standard. (Or insist on a benchmark that can’t be underperformed if you prefer the investment management parlance). Especially as certification is a low-cost exercise with no performance drag issues, and that there is even the opportunity to reduce insurance premiums. Obviously, for most managers, banks and so on this exercise should be both second nature and one would hope an easy hurdle to jump. But we are looking for weak links, and forcing CE plus compliance on those that we deal with this will flush these out.

I mentioned the thin edge of the wedge earlier on, as we must overlay cyber security with a true, non-trustee influenced compliance issue. We are currently legally obliged to comply with the new general data protection regulations (GDPR). We will be open to punitive fines from May 2018. In the corporate world, this is up to 20% of global turnover. Lawyers that I talk to discuss lighthouse prosecutions on the horizon; I would not want this to fall on the pension industry. I don’t think that trust based structures were at the heart of the legislation design, and I could see a proverbial and unproductive bun fight between stakeholders if there is a pensions failure. As an aside, and contrary to popular belief, the current Brexit debate does not make a legal difference here. The work needed to be CE certified and GDPR compliant overlap; actions needed are complementary but are not the same.

If our French Minister of War in 1914, was writing today, what would he order? He would be calculating future outcomes, however long term and uncertain, and be striving to understand the impact of technology. He would also keep his eye on his assets’ health and growth, and develop practical solutions to perceived weakness. If he could have seen the number and extent of cyber and IT related issues that we have to deal with today, I could see his well-oiled moustache twitching with impatience to implement his strategy, and insist that everyone uses their positions of power to make things change yesterday.

With the benefit of hindsight, the French Government needed a little bit of help from some friends to sway things. No bad thing to have friends, and that’s what GCHQ is offering to the pensions industry.

To be clear, I do not work for GCHQ, but I can point anyone interested in the right direction to help work through GDPR and Cyber Essentials. There are other service providers available to do this too, but in the grander scheme this is not important, let’s just keep each other safe on the current battlefield.

If you want to contact Mark Bambury to find out more about his work, he can be reached at Mark Bambury mark.bambury@gmx.com


About henry tapper

Founder of the Pension PlayPen,, partner of Stella, father of Olly . I am the Pension Plowman
This entry was posted in pensions. Bookmark the permalink.

2 Responses to If GCHQ have a strategy, and the M.O.D. insist on it, why wouldn’t Pension Trustees adopt it too?

  1. George Kirrin says:

    Cyber Essentials sounds like a work creation scheme for certain IT professionals.

    It’s also a pity the acronym CE may be confused with another earlier one, which is nevertheless still current: CE Marking and the letters “CE” are the abbreviation of a French phrase “Conformité Européene” which literally means “European Conformity”. The term initially used was “EC Mark” and it was officially replaced by “CE Marking” in the Directive 93/68/EEC in 1993.

    The letters ‘CE’ appear on many products traded in the extended Single Market in the European Economic Area (EEA). They signify that products sold in the EEA have been assessed to meet high safety, health, and environmental protection requirements.

  2. Con Keating says:

    Henry – There was also nothing new about such attrition analyses. Indeed the discussion of fertility and population growth was a French favourite dating back to the Napoleonic wars. Zola wrote on it. It was at its heights in the 1890s – with organised lobbying to ban contraception and much more.

Leave a Reply