On 2 February 2024, the Pensions Regulator (“TPR”) released a regulatory intervention report reflecting on the 2023 cyber-attack on Capita (the “Report”). The Report sets out how TPR worked with Capita in relation to the cyber incident, reflects on lessons learned and sets out expectations for pension scheme trustees dealing with a cyber security incident going forwards. 

Here we set out our thoughts on the key aspects of the Report in light of the lessons we have learned from assisting our clients in dealing with the Capita cyber incident. 

Background

For more information about the Capita cyber incident, please see our previous blog on the topic.

In this article, we will refer throughout to the “Cyber Principles” (which were recently updated by TPR, having been published on 11 December 2023) and the “General Code” (with the updated version being published by TPR on 10 January 2024 and expected to take effect on 27 March 2024). 

Protection and payment of benefits 

In the Report, TPR emphasises that, after the incident, their “immediate focus was to ensure pensioners and other beneficiaries were able to receive pension payments on time”. In our experience, this quite rightly reflected the key immediate concern for trustees whose schemes were impacted, who wanted to ensure that none of their pensioner members would be left without their pension payments. Fortunately, on this occasion, the Report confirms that pension payments were not affected by the cyber attack and Capita were able to promptly confirm this to TPR. 

TPR’s Cyber Principles state that any “core services” (which expressly includes pension payments) are “ideally” available within 24 hours of any cyber incident. This solidifies the expectation that the priority of both TPR and trustees will be ensuring that member benefits are both protected and payable on time. 

Regulation of pension scheme administrators 

In the Report, TPR acknowledges that it does “not have direct regulatory grip over administrators”. Instead, TPR “regulate how trustees govern their pension schemes, including their relationships with administrators”. 

TPR notes within the Report that administrators “are a key service provider to trustees and pension schemes, and we work to influence the best possible outcome” for savers. With this – and the potential for another cyber incident involving a major administrator – in mind, TPR is eager to expand its influence over administrators. This has already been done in three ways: 

  1. Responsibility post-delegation: within the Cyber Principles, TPR reminds trustees that under GDPR and related data protection legislation “you should not assume your suppliers and those handling or managing systems… have taken the required steps. You remain accountable”. In this way, the Cyber Principles are indirectly applicable to administrators as trustees should ensure that administrators comply, too, or face the risk of being in breach themselves. The General Code conveys a similar message to trustees. 
  2. Communication between trustees and third-party providers: the General Code states that trustees should communicate with the likes of administrators “at least quarterly to enable the risk register to be updated”. Building on this, the Cyber Principles encourage schemes and administrators to have “open, transparent and collaborative” working relationships, and for trustees to request from administrators “regular, plain English reports” on cyber risks. Trustees should therefore make sure that they are asking the right questions of their administrators in this area on a regular basis. 
  3. Networking and consulting: within the Report, TPR cite that they “have trialled and embedded a new Administrator Relationships initiative, engaging directly with a small number of third-party pension administrators… [and] regularly with all the largest third-party administrators”. 

Looking forward, TPR states that it “aim[s] to better understand [the administrators’] sector, identify areas where changes will improve saver outcomes, and ultimately raise standards”. It will be interesting to see the extent to which TPR seeks to expand its influence over administrators. We anticipate that there will be a closer collaboration between TPR and the Pensions Administration Standards Association (PASA) going forwards, to help to align expectations of administrators in relation to cyber security to benefit pensions schemes and, ultimately, their members. 

Member communications

In the event of another cyber incident affecting a major administrator, TPR states that “prompt communication should be prioritised so members are informed and can take steps to protect themselves as soon as possible”. To achieve this, TPR encourages schemes to consider using the affected administrator’s template wording (rather than contemplating their own bespoke wording which may mean that communicating with members takes longer). 

In our experience, however, the delay in communicating with members about the Capita cyber incident was typically due to the logistics of sending out the communications – with the administrator struggling to meet the unprecedented demand for such a volume of member communications to be sent out with urgency. Some trustees also found that members who received communications based on Capita’s template found the letter to be too impersonal and demonstrated a lack of concern on the trustees’ part (which was never the case in reality), meaning that there also cons to using a template communication which trustees should be aware of. 

TPR’s Cyber Principles require trustees to communicate promptly with members (potentially before the precise details and implications of the attack is known), address any concerns they have, and keep them updated regarding any investigation. In our view, the best way to comply with this requirement is to prepare, prepare, prepare. For example, we suggest that you:

  1. Designated communications provider: have an alternative third-party (that is unconnected with your scheme administrator) that you could rely upon to send out member communications if your administrator was unable to do so; and 
  2. Electronic messaging: engage in a campaign to encourage electronic communication routes (if appropriate given the demographic of your membership). For example, obtaining members’ email addresses or developing a scheme portal. This will, of course, give you a method of communicating without the need to print out and post etc. 

Conclusion

Cyber security is clearly a high priority on TPR’s agenda for 2024. Within a two-month period, we have seen TPR publish its updated Cyber Principles, publication of the updated General Code (which includes a cyber controls and business continuity modules, which will feed into a scheme’s ESOG), and publication of TPR’s Report released just days ago. 

Building pension schemes’ cyber resilience in wake of the recent developments is critical, especially as cyber incidents will inevitably continue to occur in the pensions industry. The best thing pension scheme trustees can do is prepare, prepare, prepare. 

Burges Salmon can assist pension schemes in building their cyber resilience. Our Cyber Security Package offering is designed to meet the cyber security expectations for trustees under TPR’s Cyber Principles and the General Code. Some information about this can be found in our Cyber Security Compliance Trustee Checklist.  

If you are interested in finding out more about our Cyber Security Package offering or anything else cyber security related, please contact Richard Pettit or Samantha Howell

This article was written by Callum Duckmanton and Samantha Howell.