The trade body builds on its November 2020 checklist by providing specific examples of what administrators can do.
Shows examples of how to increase resiliency to meet legal and regulatory standards, understand the vulnerability of the organization, and ensure it is resilient while still being able to fulfill key functions.
The list comes after a noted increase in cyberattacks and data breaches at businesses over the past year, as cybercriminals upped their game during the pandemic work-from-home trend.
Unfortunately, even following all the steps in the checklist may not prevent a successful cyberattack.
“Administrators can be resilient to cybercrime if they are as well protected as possible, can manage an attack when it occurs, and can investigate what happened and recover and mitigate any damage,” the PASA checklist states.
‘The digital criminal world moves fast’
Administrators must review relevant legislation on an ongoing basis to understand what is required to achieve and maintain compliance, it added.
They should then conduct a more in-depth analysis of their cybercrime vulnerabilities, document both the process and the results and commit to repeating it at least once a year, as well as assess the company’s attractiveness to cybercriminals.
Before considering checklists in each area, PASA said administrators should designate a designated person with overall responsibility for cybersecurity and resiliency, as well as relevant team members who have day-to-day responsibility in defined areas. .
Next, they must analyze and understand their data, systems, applications, facilities, and process flows, and how they integrate with business operations.
Third, they must understand the different people and groups they interact with, such as employees, contractors, temporary workers, vendors, customers, and members.
Fourth, they should consider who will be responsible for using the checklists to assess cybersecurity and resilience readiness to ensure independence.
However, PASA cautioned that its examples are not exhaustive, noting that even if administrators follow all the steps they suggest, it may not prevent a successful cyberattack.
Jim Gee, chair of PASA’s Fraud and Cybercrime Task Force, said, “The digital criminal world moves quickly, and unfortunately, even following all the steps in the checklist may not prevent a successful cyberattack. We encourage each administrator to review their own vulnerabilities and add more steps that are relevant to their own environment.”
Cybercrime is on the rise
According to RSM’s ‘The Real Economy’ report, 27 percent of mid-market businesses suffered a cyberattack in the past year, up from 20 percent the year before, while the proportion reporting a data breach increased of 13 percent. percent in 2021 to 34 percent in 2022.
Since trustees are responsible for some valuable member data, they can become a big target for cyber criminals.
Ransomware attacks in which hackers steal or encrypt data and then hold a business for ransom more than doubled in 2021, according to the Information Commissioner’s Office.
Ian Bell, head of pensions at RSM, said administrators need to understand which outside organizations have access to that data, be it the administrator, actuary or auditor.
The pension sector warned that commercial data breaches almost tripled
Pension trustees have been urged to be vigilant after businesses experienced a surge in cyberattacks and data breaches over the past year as cybercriminals upped their game during the shift to home working.
Once they understand their “cyber footprint,” they can start thinking about what controls are in place to make sure data is as protected as it should be, he said. They can then start implementing additional controls to make sure the data is protected.
“Until they have an exact idea of how extensive their cyber footprint is, it’s very difficult for administrators to say they’ve looked at it,” Bell said.
“It all comes down to the educational part, understanding the cyber footprint, and then making sure the data and controls around it are as good as they should be.”