The Pensions Administration Standards Association (Pasa) has launched guidance to help pension administrators avoid and deal with cybercrime.

The cybercrime guidance, produced in partnership with Crowe, sets out four key areas for administrators to consider.

It urges pension administrators to ensure they are meeting legal and regulatory standards, including The Pensions Regulator's (TPR’s) Cyber security principles for pension schemes guidance, publishing in April 2018.

Pasa’s guidance also called on administrators to understand their organisation’s vulnerability to cybercrime, and details how cybercriminals often operate and the ways in which organisations could be vulnerable to an attack.

It noted that pension organisations can be attractive to cyber criminals due to the amount of detailed personal and financial data they have, and cyber-attacks can be particularly damaging as pensions are often a trusted public office, their data can be used against other organisations or individuals, and there is a public expectation that pension companies are secure.

Ensuring their organisation is resilient to cybercrime was the third key area outlined in the guidance and a list of risk mitigation techniques was detailed for administrators, including regularly mapping and documenting data.

Finally, it urged administrators to consider whether they would remain able to fulfil key functions in the event of a cyber-attack and assess the arrangements they have in place if one does occur.

“Pandemic or no pandemic, administrators have a crucial role to play in paying out pensions consistently and accurately,” commented Pasa Cybercrime and Fraud Working Group chair, Jim Gee. "They have access to ‘rich’ personal and financial data and are therefore highly vulnerable to ransomware attacks.

“With thousands of administrators suddenly and unexpectedly thrown into working from home situations, and data being accessed by many people from many different locations, this has had a significant impact on what was already a very problematic issue.

“We have developed the guidance to support and guide administrators in continuing to protect themselves as much as possible. The fact of the matter is, many will be a victim of these attacks, even with the most stringent of procedures in place. The important thing will be how administrators minimise this risk and how they cope when it happens.”

Share Story: