Press release – PASA launches Cybercrime Guidance for Pensions Administrators

PASA today announced the launch of their new Cybercrime Guidance for Pension Administrators.

The Guidance aims to help administrators by outlining four key areas covering different elements of cybercrime: meeting legal and regulatory standards, understanding their organisation’s vulnerability to cybercrime, ensuring resilience, and finally in case of an attack, remaining able to fulfil critical functions.

Jim Gee, Chair of the PASA Cybercrime & Fraud Working Group says, “Pandemic or no pandemic, administrators have a crucial role to play in paying out pensions consistently and accurately. They have access to ‘rich’ personal and financial data and are therefore highly vulnerable to ransomware attacks. With thousands of administrators suddenly and unexpectedly thrown into working from home situations, and data being accessed by many people from many different locations, this has had a significant impact on what was already a very problematic issue. We have developed the guidance to support and guide administrators in continuing to protect themselves as much as possible. The fact of the matter is, many will be a victim of these attacks, even with the most stringent of procedures in place. The important thing will be how administrators minimise this risk and how they cope when it happens. Any help we can give to them, and guidance on how to deal with any aftermath, is a crucial part of our role in the industry.”

Gee adds, “In putting together this guidance we want pension administrators to be able to test their vulnerability, resilience and be prepared to function ably under any circumstances so they can continue with their crucial role in continuing to pay pensions uninterrupted.”

Kim Gubler, PASA Chair says “Cybercrime is continuously progressing. The situation has worsened since the Covid-19 crisis, and both the UK Government and international agencies have recognised this. With this guidance, PASA is asking it’s members to take relevant steps against any possible cyberattacks. As David Fairs, Directory of Regulatory Policy, Analysis and Advice at TPR has made clear, “It’s not a case of if you will be attacked, it’s a case of when”, and we must all be prepared.

The guidance can be found here.

About the Author

Lucy Collett