article image

Cybercrime protection

PRAG publishes guidance on cybercrime protection


The Pensions Research Accountants Group (PRAG) has published updated guidance to help trustees of pension schemes protect their schemes from cybercrime. The guidance has been put together by PRAG’s Cybercrime and Fraud Working Party and updates previous guidance published in 2018, to reflect the considerable developments and increase in cybercrime since then.

Jim Gee, Chair of the PRAG Cybercrime and Fraud Working Party, said, ‘Cybercrime is one of the problems of our age, with pensions organisations reporting 43 cybercrime breaches to the Information Commissioners Office since July 2018. Its prevalence had been growing significantly in the years before Covid-19 – together with fraud, it represented 42% of all crime in 2019. However, it has surged since the lockdown as organised criminals have redirected resources from drug manufacture and distribution. This is the case in the pensions sector as much as any other.

‘The guidance describes the rapidly evolving nature of cybercrime and legal/regulatory expectations, and then focuses on the three main action areas which are key to being properly protected. These are: 

-  understanding the nature of the scheme’s vulnerability to cybercrime 

-  ensuring the scheme is resilient to cybercrime; and ensuring that, if attacked, the scheme remains able to fulfil key functions 

-  a recommendation that schemes should consider obtaining independent verification that these actions are being followed – just like an independent audit of financial accounts.

‘Every trustee should read and act on this advice. Pension schemes need holistic, all-round protection to reduce the impact that an attack would have (and to be assured that their suppliers also have the required protection). The key is to be as secure as possible but to plan for a cybercrime attack happening and to be ready to manage and mitigate any damage.’

Shona Harvie, Chair of the PRAG Executive, said, ‘This updated guidance will help trustees respond to the increasing and developing threat of cybercrime within the pensions industry. I would like to thank Jim Gee and the other members of the working group for pulling this important guidance together so quickly. The PRAG guidance is aimed at trustees and can be used in conjunction with the soon-to-be-published PASA guidance for pensions administrators.’

Notes to editors: 


For further information or a copy of PRAG’s guidance paper, please contact PRAG’s Press Officer.

The full guidance is available electronically to all members through the member area of the website.