Call us on 020 7112 8300
Call me back Get in touch

PRAG Guidance: How Cybercrime affects Pension Schemes

Last updated: Tuesday April 24th 2018

The Pensions Research Accountants Group (PRAG) has published new guidance to assist trustees of pension schemes, the pension sector organisations that support them and their advisers, about the holistic protection that is needed to minimise the damage which can be caused by cybercrime.

The Pensions Regulator has also just issued guidance for trustees on the “Cyber Security Principles for Pension Schemes”. The Regulator’s guidance states that trustees and scheme managers, need to take steps to protect members and assets, which includes protecting them against cyber risk, regardless of size or structure of a scheme. It goes on to say that trustees should assure themselves that all third-party suppliers have put controls in place to protect member data and scheme assets. The PRAG guide builds on the Pensions Regulator’s recommendation.

Bhavesh Patel, Assure UK Senior Manager and a member of the PRAG Data Protection and Cyber Security Working Party that put this guidance together, says: “Cybercrime continues to grow exponentially. It is therefore important to put policies and plans in place to deal with any attacks. The impact of a cyber-attack for an organisation’s finances and reputation can be significant and can impact the organisation’s ability to operate. With pension scheme’s holding personal information it is important that trustees understand their obligations and ensure suitable measures are in place”.

The working party was formed in 2017 with the scope to consider the risks to pension schemes of the forthcoming General Data Protection Regulations (GDPR) and the increasing prevalence of cybercrime.

Tara Wooton Chair of the PRAG Data Protection and Cyber Security Working Group said: “Pension schemes and their third-party providers need holistic protection to reduce the impact that an attack would have. The key is to be as secure as possible but also to plan for a cybercrime attack happening and to be ready to manage and mitigate any damage“.

The guidance is available on the member’s area of the PRAG website.