Articles in Pensions Age and European Pensions this week have highlighted recent research concluding that there has been a 4,000% increase in reported cyber security breaches by UK pension schemes in 2022/23 compared with 2021/22. Such a significant rise in cyber attacks which have been specifically targeting pension schemes clearly emphasises the very real cyber security threat faced by trustees and scheme managers.  

Why is there a threat?

Pension schemes hold large volumes of highly sensitive personal information, financial information and, of course, hold significant assets. They also usually have several third-party suppliers involved in the running of schemes. These features make pension schemes particularly attractive to cyber-criminals and, as such, trustees and scheme managers must be conscious of the potential risks if they are to prevent attacks on schemes.

This threat came into sharper focus for the pensions industry earlier this year when Capita was targeted by a cyber-attack, during which data held by the administrator was deemed to have been exfiltrated. As part of the recovery from this, trustees which had used Capita as their administrator were asked by the Pensions Regulator (“TPR”) to provide information about the steps they had taken to ensure their obligations as data controllers had been met.

Current TPR guidance

In 2018, TPR set out its cyber security principles for trustees to follow in terms of their response to growing cyber security threats. However, despite the changes to the cyber landscape since their introduction, these principles have not yet been updated.

TPR has, helpfully, included modules on cyber controls and business continuity in the draft General Code of Practice. Alice Honeywill set out Burges Salmon’s thoughts on the cyber controls module – including thoughts as to what was missing from it – in this article back when the Single Code (as it then was) had not long been published.

Unsurprisingly given the position that the pensions industry now finds itself in, there have recently been increased calls for The Pensions Regulator (TPR) to go further than its current guidance in this area, and to provide greater guidance to trustees and scheme managers.

During their response to the Capita incident, TPR acknowledged that there are ongoing risks in cyber security and emphasised the importance of having “robust cyber security and business continuity policies in place”, but has not yet released specific guidance on what policies and procedures should be followed.

Are there any proposed changes?

The cyber controls and business continuity modules in the forthcoming General Code of Practice arguably don’t go far enough and leave the determination of appropriate steps for cyber security open to interpretation. While the document does emphasise that trustees have responsibilities to consider the risks and take action, it does not provide clarity as to how trustees ensure that these actions are adequate to protect their schemes.

In our experience, cyber security is an area where trustees often feel like they do not have the expertise to assess their third party suppliers and whether their technical and organisational measures follow best practice guidelines. Any further, more specific guidance from TPR would therefore likely be welcomed by trustees and scheme managers; however, a balance would need to be struck between guidance that is helpful but also not too prescriptive (to avoid it becoming out of date quickly given the pace of developments in the cyber security space). 

How can we help? 

In terms of preventative action, you can access our Cyber Security Compliance Trustee Checklist for free here. We have also recently launched our Cyber Security Package offering, which consists of key policy documents and training materials which trustees should implement as part of their cyber risk management – taking the first steps in their journey towards ensuring that their scheme is cyber resilient. If you would like more information about our Cyber Security Package offering, including information about fixed fees, then please do get in touch.

Where a pension scheme has been impacted by a cyber attack, it is important that the Trustees contact their lawyer at the earliest opportunity, as set out in a recent article written by David Varney, a Director in the Technology Team at Burges Salmon. Whilst calling your lawyer may not be your first thought, it is important to make sure that organisations ensure they remain compliant with their legal, contractual and regulatory obligations throughout the breach response process.

If you would like any advice in relation to pension scheme cyber security risks more generally, please do get in touch with your usual contact in the Pensions Team.

This blog was written by Samantha Howell and Sophie Kirk.