We need to be alive to the fact pension schemes and administration providers are attractive to cybercriminals. Partly because of all the personal data processed but also because of the importance of ensuring pension payments continue uninterrupted, as well as the potential of ransomware attacks.

Information released by the Information Commissioner’s Office in July 2020 shows since the introduction of the General Data Protection Regulation there have been 158 reported breaches in the pensions sector. At least 43 were categorised as relating to security, unauthorised access or phishing.

What is cybercrime though? While recognising it is an evolving phenomenon, it typically takes one of two forms, phishing or ransomware.

Phishing, in broad terms, relates to obtaining sensitive information by disguising yourself as a trustworthy entity, which can be initiated by a variety of means. For example, targeted emails (spear phishing), altering previous emails (clone phishing), and website forgery or vishing (voice phishing). Ransomware involves gaining access to files in some form, making them inaccessible and holding them to ransom.

The Pensions Regulator (TPR) is very concerned about these issues, and in 2018 produced its first focused guidance concerning cybercrime, ‘Cyber Security Principles for Pension Schemes’, intended for trustees and scheme managers. Whilst TPR has no formal powers over administrators, it does have a statutory objective to promote good administration. In June 2019, David Fairs, Director of Regulatory Policy, Analysis and Advice at TPR made it clear “it’s not a case of if you will be attacked, it’s a case of when”.

At a headline level, the Standard and Guidance will cover the following:

·       It may seem obvious, but administrators are expected to comply with relevant laws and guidance

·       Our expectation is for a ‘Cybercrime Vulnerability Assessment’ to be carried out at least annually to create an understanding of administrators’ vulnerability to cybercrime

·       Administrators must take steps to both protect from the risk, as well as recovery from an attack. This ensures they are resilient to cybercrime

·       Administrators must remaining able to fulfil critical functions, such as settlement of benefit and payment of pensions, in the event of an attack happening

In many aspects of our increasingly technological lives, we need to be more aware of the risks associated with cybercrime. The greater use of technology in our industry, and the attractive nature of the data we hold in relation to many thousands of individuals, means the threat is high. As a consequence, we need to ensure there is an appropriate and heightened level of focus on the risks associated with the data and information we hold. These risks will only increase as criminals become increasingly more sophisticated.

Whilst I am certain pension administrators recognise the risks associated with cybercrime, we believe it is vital there is a benchmark set for them. As such, we anticipate the Standard and Guidance we have developed will not only be helpful in defining a minimum benchmark for administrators, but will also assist schemes and their members in gaining comfort appropriate controls are in place and being monitored.

Look out for the publication of the new Standard and Guidance and take action!

*Crime Statistics for England and Wales