PASA bolsters cyber attack admin checklist amid crime surge

The trade body builds on its November 2020 checklist by providing specific examples of what can be done by administrators. 

It showcases examples of how to increase resilience to meet legal and regulatory standards, understand the organisation’s vulnerability, and ensure it is resilient while also being able to fulfil key functions.

The list comes after an observed increase in cyber attacks and data breaches across businesses over the past year as cyber criminals upped their game during the pandemic working-from-home trend. 

Unfortunately, even following all the steps on the checklist may not prevent a successful cyber attack

Jim Gee, PASA

“Administrators can be cyber crime resilient by being as well protected as possible, able to manage an attack when it occurs, and able to investigate what’s happened and recover and mitigate any damage,” PASA’s checklist stated.

‘The digital criminal world is fast-moving’

Administrators should review relevant legislation on an ongoing basis to understand what is required to achieve and maintain compliance, it added. 

They should then conduct a deeper analysis of their vulnerabilities to cyber crime, documenting both the process and outcomes and commit to repeating it at least annually, as well as to assess the attractiveness of the company to cyber criminals.

Before considering the checklists in each area, PASA said administrators should appoint a named individual with overall accountability for cyber security and resilience, as well as relevant team members who have day-to day-responsibility in defined areas. 

They should then analyse and understand their data, systems, applications, premises and process flows, and how they integrate with the business operations. 

Third, they should understand the different people and groups that they interact with, such as employees, contractors, temporary workers, suppliers, clients and members. 

Fourth, they should consider who will be responsible for using the checklists to assess cyber security and resilience readiness to ensure independence.

However, PASA warned its examples are not exhaustive and pointed out that even if administrators follow all the steps they suggest, this may not prevent a successful cyber attack.

Jim Gee, chair of PASA’s Cybercrime and Fraud Working Group, said: “The digital criminal world is fast-moving and, unfortunately, even following all the steps on the checklist may not prevent a successful cyber attack. We encourage each administrator to review their own vulnerabilities and add further steps which are relevant to their own environment.”

Cyber crime is increasing

According to RSM’s ‘The real economy’ report, 27 per cent of middle-market businesses have experienced a cyber attack in the past year, up from 20 per cent in the previous year, while the proportion that reported a data breach rose from 13 per cent in 2021 to 34 per cent in 2022.

Given that trustees are responsible for some valuable member data, they can become a big target for cyber criminals. 

Ransomware attacks where hackers either steal or encrypt data then hold a business to ransom for it doubled in 2021, according to the Information Commissioner’s Office.

Ian Bell, head of pensions at RSM, said trustees need to understand which external organisations have access to that data, whether it is the administrator, actuary or auditor.

Once they understand their “cyber footprint”, they can then start to think about what controls are in place to make sure that data is as protected as it should be, he said. Then they can start to put any additional controls in place to make sure the data is protected. 

“Until they get a handle on exactly how wide their cyber footprint is, it’s very difficult for trustees to say they’ve looked at it,” Bell said. 

“It comes down to the education piece, understanding cyber footprint, and then making sure the data and the controls around it are as good as they should be.”