Pensions Administration and Cybercrime

Cybercrime is a rapidly evolving and continuously changing phenomena and involves intrusions into computers and networks (hacking) and/or the disruption of computer services. Data stolen by means of cybercrime can then be used for fraudulent purposes.

Cybercrime is an increasing risk to all businesses – especially at this time of changed working practices in response to the global pandemic – and Third Party Pension Administrators (TPAs) are attractive targets because of their access to ‘rich’ personal and financial data about large numbers of people. It is therefore vital for TPAs to protect themselves effectively.

With this in mind, on 9 November 2020, PASA launched its Cybercrime Guidance. The aim of this guidance is to help Pension Administrators review their vulnerability to cybercrime, challenge their resilience to an attack and be prepared to function ably afterwards.

Andy Cassin from Willis Towers Watson advises – “Any business should treat Cybercrime as one of the many risks it faces – and address it appropriately. The first step is to assign accountability for this risk to an individual in your organisation – then provide them the necessary resources to at least understand the extent of the problem, before deciding what measures of mitigation and remediation are cost-effective for your organisation to implement.

The consideration of cost-effectiveness is critical: every organisation isn’t of the same size, doesn’t have the same level of resources and potentially faces different risks from cybercrime – and this is true of different TPAs too. However, simply ‘ignoring’ the risk because it seems too complicated or deciding you don’t have the resources to do anything about it because you are ‘too small’, is not a realistic response.”

Agreeing administrators need to take action now, Gillian Baker from Hymans Robertson LLP, summarises PASA’s guidance as four simple steps an administrator should undertake:

  • Understand the challenges and risks to your business
  • Consider the controls you need to have in place to mitigate the risk of an attack
  • Ensure your staff know how to spot the signs of a cybercrime attack and the actions to take if they are unsure or suspicious
  • Have a plan in place to remediate / recover / restore normal services – how you respond to any attack is key

Considering the problem from the 4 perspectives of PASA’s guidance, Andy and Gillian have identified some simple things an administrator of any size can have in place, or can do, to help protect themselves from the risk of Cybercrime:

1: Meet legal and regulatory standards

It is important to understand your legal and regulatory obligations in this context, and there is also a wealth of material from related sources to help shape your protection programme:

  • You will already have been required to take some fundamental steps to ensure compliance with GDPR and the UK Data Protection Act 2018
  • Review other requirements and advice on good practice from the likes of TPR, the National Cyber Security Centre (NCSC) and the FCA
  • Consider aligning to one of the long-standing and well-regarded standards for cyber security such as ISO27001 to ensure a holistic approach

2: Understand your organisation’s vulnerability to Cybercrime

Your approach to Cybercrime needs to be specific to your organisation – and your particular vulnerabilities:

  • Consider the different types of attack which can occur e.g. phishing, ransomware
  • Due to the complex nature of some cyber threats and vulnerabilities, consider using specialist third-parties to assist with the more technical parts of this process
  • Conduct a formal gap analysis of the PASA guidance against your existing Cybercrime protection programme to evaluate its strengths and weaknesses
  • Add Cybercrime into your risk register and consider the controls you have in place to mitigate this risk

3: Ensure your organisation is resilient to Cybercrime

Nowadays it is recognised all organisations of all sizes are subject to cyber-attacks and Cybercrime – and some of these will be successful to a greater or lesser extent. ‘Resilience’ therefore requires appropriate levels of protection to reduce the risk of a successful attack but also relevant controls to minimise the impact of a successful attack when it occurs:

  • All staff should be appropriately trained to recognise the signs of a cyber attack or Cybercrime – and they should know how to report any concerns
  • An Incident Management process should be in place to investigate any issues reported and manage them to a successful conclusion
  • This should combine with your business continuity and disaster recovery plans, so you can handle everything from relatively minor issues to major cyber attacks
  • Any response team should involve groups from across the organisation – IT, Legal and Compliance; potentially HR, Marketing/PR; but essentially, someone from a ‘business’ perspective as cyber incidents impact the business just like any other issues
  • Consider engaging a reputable third-party cyber security firm, so you can call on their specialist services to supplement your own team when required
  • Undertake phishing tests with your staff or create simulations of an attack
  • Keep an eye on what is happening in the industry – it could happen to you

4: Remain able to fulfil key functions

Do not think of the impact of cyber-attacks and Cybercrime simply in terms of how they might affect individual IT systems, sites or personnel – understand how those key resources impact your critical services so you can prepare to keep those services operating, or resume their operation as soon as it is safe to do so.

Consider what the critical services or functions are for your organisation:

  • Paying pensions, lump sums and death benefits?
  • Managing scheme bank accounts/payments/receipts?
  • Answering enquiries by telephone, post, email or via websites?
  • Issuing member and employer communications?
  • Are all services of equal importance for all clients/members?

In summary, Andy and Gillian recommend considering the simple ideas discussed above to ensure you are prepared against a cyber attack. This is a key issue for any business, and you need to be able to demonstrate you have considered the risk, taken appropriate steps to mitigate any potential issues and know what to do when an incident occurs. Never be complacent about Cybercrime as any organisation can be a victim – even yours!

Andy Cassin, Willis Towers Watson and Gillian Baker, Hymans Robertson

Members of the PASA Cybercrime & Fraud Working Group