Capita cyber incident: what’s the latest?

Putting aside any speculation in the press in recent days, the official statements from Capita set out the following position regarding Capita’s ongoing cyber incident:

• On 3 April 2023, Capita plc (Capita) announced that it had experienced a cyber incident 3 days previously, on 31 March 2023. Capita reported that the incident primarily impacted access to internal applications and caused disruption to some services provided to certain clients, although the majority of Capita’s client services were stated to remain in operation. In their statement, Capita assured that there was no evidence of customer, supplier or colleague data having been compromised.
• Capita has since released a statement on 20 April 2023, detailing that their investigations to date show that there is “some evidence of limited data exfiltration […] which might include customer, supplier or colleague data”. Capita affirms that it will continue to work through its forensic investigations and will notify any customers, suppliers or colleagues that are impacted “in a timely manner”.

What does this mean for pension schemes?

We are aware that the Pensions Regulator (tPR) is writing to pension schemes who have Capita as their administrator, asking the trustees of those schemes to provide tPR with information on what steps they have taken to ensure that their obligations as data controller have been met in order to protect members’ data.

In these communications, tPR reiterates the importance of having robust cyber security and business continuity policies in place, highlighting their guidance on cyber security principles, as well as the Information Commissioner’s Office’s guidance on IT security.

Many schemes have Capita as their administrator, and trustees might be wondering what the next steps are in terms of how they can gain assurance that the data processed by their pension administrator is secure, while ensuring that members’ interests are protected. We would recommend that, to the extent they have not already done so, trustees who are affected contact their advisers as soon as possible, invoke their incident response plans and check their administration contracts to see what (if any) contractual obligations Capita have to keep the trustees updated in relation to cyber incidents.

This incident highlights the gravity of cybercrime, and the hard-hitting reality that schemes need to be prepared for “when”, rather than “if” a cyber incident occurs, as has been the mantra of tPR for some time now. It is particularly interesting to see tPR taking such a proactive approach to contacting trustees about what steps they are taking – underlining the priority that tPR is giving to cyber security for pension schemes.  

Whether or not Capita is their scheme’s administrator, trustees need to be asking themselves this: if our scheme’s administrator was affected, would we be in a position to give the response that tPR would want to hear?

How can we help?

Burges Salmon recognise that cybercrime is one of the single biggest risks for pension schemes. We recently held a cyber security webinar which focused on preventative and reactive measures trustees can implement to help to reduce and mitigate cyber risk, as well as what to do when faced with a potential cyber-attack.

We have also recently launched our Cyber Security Package offering, which consists of key policy documents and training materials which trustees should implement as part of their cyber risk management. We are well placed to help trustees in their journey towards ensuring that their scheme is cyber resilient. If you would like more information about our Cyber Security Package offering, including information about fixed fees, then please do get in touch.

A recording of the webinar will be available to watch on demand on our website shortly. When our webinar is available, you will also be able to access our Cyber Security Compliance Trustee Checklist for free.

If you would like to explore this topic further with us, please contact your usual Burges Salmon contact or enquire via Richard Pettit or Samantha Howell. For specific queries on data protection and what to do in the face of a cyber-attack, David Varney from our Technology team or Amy Khodabandehloo from our Dispute Resolution team would be pleased to assist.