As a result of the COVID-19 pandemic, savers are increasingly being targeted by scammers. In 2019, 42% of all crime related to cybercrime and fraud, this figure has increased to over 50% since COVID-19 emerged. As a result, many industry bodies are now urging members and administrators to exercise extreme caution.

Scheme administrators face potential cyber threats on a day-to-day basis, including techniques such as phishing, ransomware or hacking. These attacks can come from multiple devices (computers, laptops and mobiles) using different communication channels (emails, messaging and phones), all of which are used in most aspects of running pension schemes.

On 9 November 2020, the Pensions Administration Standards Association’s (PASA) Cybercrime and Fraud Working Group published guidance on how trustees and scheme administrators can maintain resilience in the face of cybercrime. The guidance highlights the significant, growing and everchanging problem, and aims to help administrators meet their legal and regulatory standards, understand their organisation’s vulnerability to cybercrime, ensure resilience, and, in case of an attack, remaining able to fulfil critical functions.

Helping administrators meet legal and regulatory standards

Scheme administrators need to constantly adapt to the ever-changing legal and regulatory standards expected of them:

- PASA have reviewed and strengthened their Standards to reflect thoughts regarding cybercrime, which will also be incorporated into their Accreditation process

- The Pensions Regulator (TPR) emphasises the importance of schemes’ understanding their vulnerabilities and having appropriate processes in place to deal with incidents

- TPR has also announced it will begin risk-assessing administrators in a number of areas, including cybercrime

Understanding your organisation’s vulnerability to cybercrime

Scheme administrators are particularly attractive to cybercriminals because of:

· The type and volume of personal data they hold;

· The crucial need for pensions to be paid, meaning ransomware attacks are more likely;

· The need for constant adaptation to the methods which are used by cybercriminals; and

· Their dependence on various advisers and service providers who assist with running schemes i.e. actuaries, consultants and accountants, creating a bigger foundation for cybercriminals to attack

A number of high-profile cybercrime attacks have taken place in the past few years. And while the foremost thought for all of us is the members, it’s important to note that a cyber-attack can also have a detrimental impact on a business’s reputation so cybercrime should be considered a key business risk too.

Have appropriate policies, procedures and systems in place to ensure cybercrime resilience. It may be difficult to predict the nature and scale of a cyber-attack but if trustees and scheme administrators ensure they have appropriate levels of protection and secure IT systems in place, it can go a long way in helping them prevent a cyber-attack. The following measures could help trustees and scheme administrators with this:

· Cyber security training – provided to scheme administrators and trustees with refresher sessions delivered frequently i.e. annually

· Access control – staff access to member data is controlled and monitored to ensure only individuals who require access to certain data is permitted

· Obtaining external accreditation – examples include ISO 27001 and Cyber Security Essentials

· Security/encryption – sensitive data should be transferred using a secure, encrypted file transfer system. QFile is used within Quantum Advisory for this purpose and includes features such as two-factor authentication when an individual is logging in and an automatic expiration date on documents after a chosen interval. Password management should be monitored and antivirus protection should be reviewed and updated in real time

· Educate members – include warnings in member communications and steps members can take to protect themselves from an attack

· At Quantum Advisory member specific information is not provided to third parties and is only sent directly to members (even if the request comes from a third party with appropriate authorisation)

Cybercriminals are using sophisticated market research techniques and intelligence to exploit weaknesses in individuals or large businesses. With this in mind, pension scheme trustees should include this topic on agendas for upcoming trustees’ meetings. Trustees and scheme administrators should also ensure they have appropriate internal controls in place and look into updating their risk registers to account for cyber-related risks and any steps taken to mitigate them.

Most scheme risk registers contain static risks with long-established mitigating measures in place, however, cybercriminals can adapt their methods to keep pace with changes in society. It is therefore not only important for trustees to think carefully about adding Cyber Security to their risk registers, but to also understand their vulnerabilities and the those of the third parties on which they rely. Trustees should not update their risk register as a ‘tick-box’ exercise, but instead spend time to consider the specific issues facing them and their advisers. It may also be useful to include representation from the scheme administrator in these discussions to ensure that all aspects can be considered.

Being able to fulfil critical functions, mitigate any damage and recover. With appropriate incident response plans and policies in place, trustees and scheme administrators should be able to effectively crisis-manage a cybercrime attack and ensure that they can still fulfil critical functions e.g. paying pensions. This can be done by reporting a breach promptly to the Information Commissioner’s Office (ICO), investigating the breach and working out how quickly data can be restored.

Trustees are not expected to be experts in the field of IT systems and computer coding but PASA hopes that their guidance will help trustees and administrators to become more cyber-resilient. David Fairs, Director of Regulatory Policy, Analysis and Advice at TPR once stated that “it is not a case of if you will be attacked, it’s a case of when”.