Cybercrime guidance from PASA for pension administrators

Cybercrime guidance from PASA for pension administrators

With millions of people’s pension data kept by pension administrators, the new Cybercrime guidance from the Pensions Administration Standards Association (PASA) is very welcome. The four critical areas covered are:

  • Meeting legal and regulatory standards
  • Understanding an organisation’s vulnerability to cybercrime
  • Building and maintaining resilience
  • Continuing critical functions once attacked

The Covid-19 requirements to work from home mean that pension administrators are accessing pension systems from their home, and that cybercriminals have targeted the pension industry because of its rich source of personal data.

PASA guidance is for pension administrators to test their vulnerability, resilience and function to the required professional standards. David Fairs, Director of Regulatory Policy, Analysis and Advice at the Pensions Regulator (TPR) has stated: “It’s not a case of if you will be attacked, it’s a case of when” and we must all be prepared.

Some key points from the 14-page guidance are:

What is Cybercrime

  • Cybercrime is with us for ever: In 2019 42% of all crime was cybercrime and fraud (source: Crime statistics for England and Wales)
  • TPR’s first focused guidance in April 2018 ‘Cyber security principles for pension schemes’ made it clear that trustees need to risk-assess administrators, and TPR will be following up on cybercrime vulnerabilities with administrators
  • There are three cybercrime techniques:
    • Phishing – the dishonest attempt to obtain sensitive personal data by disguising yourself as a trusted email source. 91% of all cyber-attacks start with a phishing email (source: Cofense solutions)
    • Ransomware – the encryption of a victim’s datafiles, demanding a ransom payment to give access back to the data; or loading pornographic images; or requiring Windows software to be re-installed. This includes locking access to a mobile device
    • Leakware – the threat to publish information stolen from the victim

How to assess your vulnerability to cybercrime key questions

  • How attractive is an organisation to cybercrime?
  • What would be the extent of damage caused by a cybercrime attack?
  • How cybercrime resilient is an organisation (and its suppliers)?

Within the PASA guidance these questions are examined in useful detail.

Links to further information and guidance

  • The legal and regulatory environment (appendix 1) sources of information from TPR, ICO, NCSC, FCA

Actions you can take are to read the guidance and circulate it amongst your management teams and answer the questions posed.

Another action Assure UK will be taking is to discuss with clients  for AAF 01/06, AAF 02/07, AAF 01/20, AAF 05/20, ISAE 300, ISAE 3402 and pension scheme work to raise the level of understanding and controls responses.

The guidance is here:

If you have any questions, please contact us on 020 7112 8300 alternatively you can email