The Pensions Research Accountants Group (PRAG) has published updated guidance which is aimed at helping pension scheme trustees to protect their schemes from cybercrime.

Considerable developments and increases in cybercrime is cited as the reason PRAG have updated their 2018 guidance on cybercrime. Some key points that Jim Gee, Chair of the PRAG Cybercrime and Fraud Working Party, has raised are:

  • the prevalence of pension related cybercrime has grown significantly over the years, with 43 pension organisations reporting cybercrime breaches to the Information Commissioners Office (ICO) since July 2018;
  • the problem has been made worse by the Covid-19 pandemic, as members of organised crime redirect their resources away from drug manufacture and distribution to online activities;
  • the guidance focuses on key areas for schemes in the pursuit of increased cyber security, which are:
    • understanding the nature of the scheme's vulnerability to cybercrime;
    • ensuring the scheme is resilient to cybercrime; and
    • ensuring that, if attacked, the scheme remains able to fulfil key functions.

Gee’s view is that "every trustee should read and act on this advice…the key is to be as secure as possible but to plan for a cybercrime attack happening and to be ready to manage and mitigate any damage."

Burges Salmon agree that these are important areas of focus. We would recommend that all pension scheme trustees:

  • carry out an initial cyber security risk assessment;
  • have an incident response plan in place;
  • audit their key advisers and suppliers (particularly administrators and investment managers);
  • consider their cyber insurance cover (if any) and whether this should be put in place;
  • monitor cyber risks on an ongoing basis, including on the scheme’s risk register;
  • have regular trustee training on cyber security, including warning signs of cyber security scams and common preventative measures.

Cyber security attacks have felt closer to home for the pensions industry this year, with reports that at least one pensions administrator had been subject to a ransomware attack in July 2020.

Due to their very nature, pension schemes present criminals with a potential source of significant quantities of data and assets. The industry and the Pensions Regulator (TPR) recognise that schemes are a prime target for fraudsters and criminals. TPR’s published guidance highlights that all “pension scheme trustees need to take active steps to protect members and assets against cyber risk” and both TPR and the Pensions Administration Standards Association (PASA) recommends that trustees prepare for ‘when’ a cyber security incident occurs rather than ‘if’ an incident occurs.

Reflecting the seriousness of this risk for the pensions industry, PASA announced in July 2020 that it will be developing a new PASA Standard on Cybercrime as well as standalone Cybercrime Guidance, both of which are still awaited.

The latest guidance is available to PRAG members on its website (www.prag.org.uk) and PRAG’s press release in relation to this guidance can be accessed here: https://www.prag.org.uk/wp-content/uploads/2020/10/PRAG-cybercrime-press-release-October-2020.pdf