Following the recent Capita cyber incident, the Information Commissioners Office (“ICO”) has issued a statement encouraging organisations utilising Capita’s services to see if they have been affected and, if so, report this to the ICO.

Background

Following the announcement from Capita PLC (“Capita”) in April 2023 that it had suffered a cyber-incident impacting provision of its services, Capita has since revealed that despite its initial assessments that no customer data had been compromised, there was in fact “some evidence of limited data exfiltration […] which might include customer, supplier or colleague data”.

Since the investigation into the incident by Capita has begun, the Guardian has reported that around 90 organisations have allegedly been in touch with the ICO following confirmation from Capita that their data may have been affected in some way.

What does this mean for pension schemes?

Pension schemes that have been notified by Capita that the data Capita holds for them has been affected will need to consider whether the breach is reportable to the ICO. As data controller of the information, trustees must notify the ICO within 72 hours of becoming aware of a breach “unless it does not pose a risk to people’s rights and freedoms”. Schemes should also consider whether they will be required to notify the affected members of this breach, which will depend on the risks involved in relation to that member’s data.

Upon receipt of a notification from Capita, trustees should contact their advisers as soon as possible, invoke their incident response plans and may also want to check their contracts to understand Capita’s contractual obligations in relation to cyber incidents.

How can we help?

Burges Salmon recognises that cybercrime is one of the single biggest risks for pension schemes. We recently held a cybersecurity webinar which focused on preventative and reactive measures trustees can implement to help to reduce and mitigate cyber risk, as well as what to do when faced with a potential cyber-attack.

We have also recently launched our Cyber Security Package offering, which consists of key policy documents and training materials which trustees should implement as part of their cyber risk management. We are well placed to help trustees in their journey towards ensuring that their scheme is cyber resilient. If you would like more information about our Cyber Security Package offering, including information about fixed fees, then please do get in touch.

A recording of the webinar is now available to watch on demand on our website here: Webinar: Cyber security for pension schemes - the blue hats and the red hats (burges-salmon.com). You can also access our Cyber Security Compliance Trustee Checklist for free on that same webpage.

If you would like to explore this topic further with us, please contact your usual Burges Salmon contact or enquire via Richard Pettit or Samantha Howell. For specific queries on data protection and what to do in the face of a cyber-attack, David Varney from our Technology team or Amy Khodabandehloo from our Dispute Resolution team would be pleased to assist.