Last month the Pensions Administration Standards Association (“PASA”) launched its cybercrime guidance for pension administrators. 

This guidance is a welcome addition to the growing toolkit to help the pensions industry manage cybercrime risk. This guidance sets the scene for the strengthening of the PASA Standards which is expected in the near future and these updated Standards will be incorporated into PASA’s accreditation process.

The guidance follows PASA launching a Cybercrime & Fraud Working Group earlier this year. Jim Gee, Chair of the PASA Cybercrime & Fraud Working Group, has said in PASA’s recent press release that: "In putting together this guidance we want pension administrators to be able to test their vulnerability, resilience and be prepared to function ably under any circumstances so they can continue with their crucial role in continuing to pay pensions uninterrupted."

The guidance urges PASA members to take relevant steps against any possible cyberattacks and sets out four key areas for administrators to consider, which are:

  • meeting legal and regulatory standards;
  • understanding their organisation’s vulnerability to cybercrime;
  • ensuring their organisation is resilient to cybercrime; and
  • remaining able to fulfil key functions (if there was a cyber-attack).

The guidance explores what cybercrime is, detailing how cybercriminals operate and the ways in which organisations could be vulnerable to attack. The guidance does, however, recognise that cybercrime is a “rapidly evolving and continuously changing phenomena”, which creates challenges in and of itself.

In our view, this guidance is helpful in setting out the building blocks for how administrators should protect themselves effectively against the clear threat of cybercrime, particularly in light of the reports that at least one pensions administrator was subject to a ransomware attack in July 2020. The guidance states that 158 breaches have been reported to the ICO in relation to the pensions sector since the introduction of GDPR and at least 43 of these appear to relate to cybercrime, which shows that cybercrime is actively happening in the UK pensions sector.

The guidance also states that the two main cybercrime techniques are phishing and ransomware being inserted into a computer. In relation to phishing, like many businesses scheme administrators will generally train their staff on a regular basis about how to spot warning signs and identify phishing emails.

Burges Salmon recommends that pension scheme trustees also keep up to date on phishing techniques through regular trustee training on this topic.

In regards to organisations’ vulnerability, three main factors are identified and are relevant to pension administrators:

  • how attractive an organisation is to cybercriminals;
  • what the extent of the damage caused by a cybercrime attack would be; and
  • how resilient an organisation (and its suppliers) is to cybercrime.

The importance of understanding vulnerabilities, of complying with legal and regulatory standards, and of becoming cyber resilient (managing an attack if it does take place, minimising any damage, and maintaining key functions) are key takeaways.

Whilst this guidance is for pension administrators, it is also helpful for pension scheme trustees to understand what steps their scheme administrators should be taking to ensure that they are following recommended guidance in relation to cybercrime for the pensions industry.

Burges Salmon agrees that this is an important area of focus for the coming year, and recommends that trustees:

  • ask questions of their scheme administrators in relation to cyber security to check whether they are comfortable with the processes their administrators have in place if they were to suffer a cyber-attack. Assistance may be needed to evaluate responses where the trustee board feels that is necessary; and

  • consider whether their contracts with administrators and any other relevant third party suppliers (including investment managers and custodians) provide for an appropriate level of protection and certification, as well as  formally recording how the parties would work together in the event of any data breach or cyber-attack.

This approach ties in with comments from David Fairs, the Pensions Regulator’s Director of Regulatory Policy, Analysis and Advice, cited in the guidance – he has made it clear that “it's not a case of if you will be attacked; it's a case of when”.

The guidance is available on PASA’s website and can be accessed here: