Schemes and administrators have been urged to strengthen their cybercrime resilience after heightened criminal interest in the sector.
The call comes after reports surfaced that one unnamed pensions administrator had suffered - and thwarted - a ransomware attack.
The Pensions Administration Standards Association (PASA) said it was "aware" of current heightened interest from cybercriminals in the pensions sector.
It said: "This has the potential to have a very serious impact unless administrators are properly protected because of people's reliance on them to settle and pay their benefits from pension schemes."
PASA is currently finalising detailed guidance on how to maintain resilience in the face of cybercrime and has created a number of standards which will be published in September and incorporated into its accreditation process.
In the meantime, it urged schemes and administrators to make sure they understand their vulnerability to cybercrime.
The Pensions Regulator agreed. A spokesman said: "Pensions schemes hold significant amounts of valuable data which make them targets for fraudsters and cyber criminals, so it's vital that trustees and managers treat cyber security as a key risk and ensure third-party administrators do the same."
The regulator's guidance on cyber-security for pension schemes can be found here.
Crowe UK is the expert partner for PASA's cybercrime and fraud working group, which was set up earlier this year.
Partner and national head of forensic services Jim Gee - who chairs the PASA working group and is also a chair of the Centre for Counter Fraud Studies at the University of Portsmouth - said there had been a big increase in cybercrime generally over the past 15 years, particularly so over the past two years and during the Covid-19 pandemic.
Gee said the pandemic had been a particular factor in the most recent increase as large numbers of businesses had set up remote working at speed after the lockdown - and the security and controls usually in place were not always working so well in a remote working environment.
He also said criminals had changed their behaviour in lockdown as well - with the biggest threat coming from organised crime "businesses", rather than teenagers hacking from their bedrooms, or state actors.
Gee explained: "When the lockdown started, organised crime businesses saw their main source of income, the manufacture and distribution of drugs, was disrupted so they redirected significant resources from drugs into cybercrime."
He added: "The threat heightened, the defences were weakened and that is why we have a real spike in cybercrime now."
Gee said there were four key steps schemes and administrators could take now.
- Understand their cybercrime vulnerability
i) How attractive they are to cybercriminals - for example, Gee said, schemes hold and process rich seams of personal data which are very attractive because they can be used to attack and defraud others or to resell to other who will do this.
ii) What financial and reputational damage would be done if an attack took place - Gee explained many pensions organisations are highly trusted so the potential for damage is significant.
iii) To what extent are they cybercrime resilient - i.e. able to manage an attack if it happens and to recover and mitigate any damage.
- Strengthen their cybercrime resilience and reducing their vulnerability (as above).
- Make sure that they can continue to undertake key functions such as paying member benefits, managing investments, etc.
- Obtain independent assurance that they are well protected - Gee said simply asking those who currently provide this protection if they are well protected is not enough. He said if audit financial accounts are audited to check they are correct, then it is at least as important to obtain independent verification that pensions organisations are properly protected against cybercrime.
