Recently, it has been reported in the press that at least one administrator was subjected to a ransomware attack. Sadly what has been predicted for some time, came to pass. Indeed, David Fairs, Director of Regulatory Policy, Analysis and Advice at TPR has made clear that “It’s not a case of if you will be attacked, it’s a case of when.”
This is why, in recent months, I have been leading efforts by two industry bodies – The Pensions Administrators Standards Association (PASA) and the Pensions Accountants Research Group (PRAG) – to develop, respectively, new standards for administrators and new guidance for pensions schemes and trustees. This work, conducted with record speed, given the nature of the documents, has been undertaken by separate groups of industry representatives who have displayed great diligence.
The new standards and the new guidance will be issued in September and both reflect a common approach. Pensions organisations need to be as well protected as possible, but, given the prevalence of cybercrime (in 2019 42% of all crime in England and Wales was cybercrime and fraud) and the security levels of organisations who have been successfully attacked (including the White House, the Pentagon and the CIA building) they also need to be prepared to manage an attack if it happens, and to recover and to mitigate any damage. All three elements are important, but, hitherto, some pensions organisations have neglected the second and third elements.
The new standards and guidance focus on four key areas:
The second point is key to informing the action needed in respect of the third and fourth points. If you don’t understand the nature and extent of your vulnerability, it is very difficult to be well placed to reduce it. Crowe have a free online tool – at www.crowecybercrime.com – based on the latest research with the University of Portsmouth’s specialist research team which helps to provide an insight in this respect.
Another key point is obtaining independent verification that the required level of protection, management and recovery is in place, especially in respect of third party suppliers. This is just as important as an independent audit of accounts and Crowe already undertakes cybercrime protection assurance work for our clients.
One thing is certain though, the cybercrime threat is escalating, especially with the impact of the COVID-19 health and economic crisis. We are seeing more remote working sometimes involving systems where the priority has been to get them working at all rather than making them secure; we are seeing a period where pre-existing controls don’t quite operate as they used to; and where cybercriminals, emboldened by their success, are undertaking a wider range of attacks and deploying ever-evolving techniques.
In the pensions sector, a successful attack can mean extensive financial and reputational damage and, potentially, unless there are strong arrangements in place to manage and recover, members not being paid. In the current period, being confident that proper protection against cybercrime is in place, should be right at the top of the ‘to do’ list for every pensions organisation.