Pension Funds Insider

Pension Funds Insider brings the latest pensions news and industry insights; from investment and governance updates to new mandate appointments and pensions regulatory information.

Cybercrime and Pensions Administration

Image for Cybercrime and Pensions Administration pension funds

In 2019, cybercrime and fraud constituted 42% of all criminal activity. With the advances in technology the whole of society is experiencing, its no surprise that crime is evolving too..

We need to be alive to the fact pension schemes and administration providers are attractive to cybercriminals. Partly because of all the personal data processed but also because of the importance of ensuring pension payments continue uninterrupted, as well as the potential of ransomware attacks.

Information released by the Information Commissioner’s Office in July 2020 shows since the introduction of the General Data Protection Regulation there have been 158 reported breaches in the pensions sector. At least 43 were categorised as relating to security, unauthorised access or phishing.

What is cybercrime though? While recognising it is an evolving phenomenon, it typically takes one of two forms, phishing or ransomware.

Phishing, in broad terms, relates to obtaining sensitive information by disguising yourself as a trustworthy entity, which can be initiated by a variety of means. For example, targeted emails (spear phishing), altering previous emails (clone phishing), and website forgery or vishing (voice phishing). Ransomware involves gaining access to files in some form, making them inaccessible and holding them to ransom.

The Pensions Regulator (TPR) is very concerned about these issues, and in 2018 produced its first focused guidance concerning cybercrime, ‘Cyber Security Principles for Pension Schemes’, intended for trustees and scheme managers. Whilst TPR has no formal powers over administrators, it does have a statutory objective to promote good administration. In June 2019, David Fairs, Director of Regulatory Policy, Analysis and Advice at TPR made it clear “it’s not a case of if you will be attacked, it’s a case of when”.

At PASA we too recognise the risks associated with this issue and have developed our first new Standard since the original set of PASA Standards were introduced, focused on Cybercrime. The new Standard will be complemented by standalone Cybercrime Guidance. Both will be published in September 2020. These are intended to provide guidance for both third party and in-house administrators on the risks associated with cybercrime. The new Cybercrime Standard will join the current suite of PASA Standards to form the framework against which all PASA Accredited administrators are audited against. We encourage all pensions administrators to complete assessments to measure the extent to which they meet these standards.’

At a headline level, the Standard and Guidance will cover the following:

·       It may seem obvious, but administrators are expected to comply with relevant laws and guidance
·       Our expectation is for a ‘Cybercrime Vulnerability Assessment’ to be carried out at least annually to create an understanding of administrators’ vulnerability to cybercrime
·       Administrators must take steps to both protect from the risk, as well as recovery from an attack. This ensures they are resilient to cybercrime
·       Administrators must remaining able to fulfil critical functions, such as settlement of benefit and payment of pensions, in the event of an attack happening

In many aspects of our increasingly technological lives, we need to be more aware of the risks associated with cybercrime. The greater use of technology in our industry, and the attractive nature of the data we hold in relation to many thousands of individuals, means the threat is high. As a consequence, we need to ensure there is an appropriate and heightened level of focus on the risks associated with the data and information we hold. These risks will only increase as criminals become increasingly more sophisticated.

Whilst I am certain pension administrators recognise the risks associated with cybercrime, we believe it is vital there is a benchmark set for them. As such, we anticipate the Standard and Guidance we have developed will not only be helpful in defining a minimum benchmark for administrators, but will also assist schemes and their members in gaining comfort appropriate controls are in place and being monitored.

Look out for the publication of the new Standard and Guidance and take action!

*Crime Statistics for England and Wales

David Pharo, Board Director, at PASA