This week the Pensions Regulator (TPR) has released updated cybersecurity guidance detailing the steps pension scheme trustees should take in order to safeguard member data and scheme assets against cyber risk and meet the expectations set out in the draft general code of practice. Recognising the evolving nature of cyber threats, the guidance aims to help trustees and scheme managers in meeting their duties "to assess risk, ensure controls are in place, and respond to incidents." 

Most notably, TPR has, for the first time, called on trustees and scheme providers to voluntarily report significant cyber incidents. This demonstrates a shift in expectations, as TPR aims for proactive industry collaboration to enhance understanding and resilience against cyber threat. However, the guidance reminds trustees that reporting to TPR complements, rather than replaces, existing legal obligations, including reporting personal data breaches to the Information Commissioner's Office (ICO). 

This new cyber security guidance is a welcome update from TPR, given that TPR’s previous cyber security principles date from 2018, since which time changes to the cyber security landscape for the pensions industry have changed significantly (as we outlined in our previous article here). 

 The new guidance addresses key aspects of prevention, detection, and response to cyber incidents, emphasizing the need for clear governance structures, data security policies, and technical controls. Moving forward, it aims to encourage trustees to collaborate proactively with the relevant parties, including TPR itself, to ensure the necessary measures are in place to mitigate cyber risk. In a TPR press release dated 11 December 2023, Louise Davey, Interim Director of Regulatory Policy, Analysis and Advice at the Pensions Regulator commented that:

"We want industry to  work openly and collaboratively together, and with us, to address the challenges of cyber threats and have a clear plan for when things go wrong. Doing so will make us all more resilient to attacks. As part of this, we want to hear about cyber-related incidents so our understanding of issues improves in real time."

If you would like any advice in relation to pension scheme cyber security risks more generally, please do get in touch with Richard Pettit, Samantha Howell or your usual contact in the Pensions Team.