In February this year (2024), the European Insurance and Occupational Pensions Authority (EIOPA) released their first risk dashboard on the Institutions for Occupational Retirement Provisions (the “Dashboard”). The Dashboard “summarises the main risks and vulnerabilities” within the EEA for both DC and DB occupational pension schemes. 

The Dashboard covers several topics, including credit risks, liquidity risks, the funding of DB schemes, and ESG related risks. In this post, we delve into the Dashboard’s summary of the risk relating to “Digitalisation and cyber risks”.

Digitalisation and cyber risks

To note, the EIOPA define this topic as “risks from a digital operational resilience perspective (i.e. cyber security risks)”, which they link to the increase in digitalisation of the pensions industry generally. 

To summarise the risk posed by cyber security:

  • ‘Medium’ risk at present.
  • No significant change in risk over the last three months, though the EIOPA did observe that the “materiality of these risks… slightly decreased” during the period (December-February 2024).
  • Expectation of an increase in risk over the next 12 months (February 2024 - February 2025).

Our comment

We would note that the Dashboard is focused on European pension schemes. Therefore, it doesn’t cover factors specific to the UK. For example:

  • The Pensions Regulator (TPR) placing additional emphasis on cyber security in the last few months – with the Cyber Principles (December 2023), General Code including cyber modules (January 2024), and Capita Intervention Report (February 2024) having been released. This means that Trustees are becoming increasingly aware of the risk posed by cyber security breaches (and of the serious consequences for both them and their scheme should their scheme fall victim to an attack). 
  • Consistent messaging by TPR that a cyber security breach for their scheme is ‘more of a when, than an if’. Such messaging result in some increase to the perceived level of risk.  
  • Recent developments regarding the Capita cyber breach (which we have posted about, regarding both the event itself and TPR’s Intervention Report). We are aware of several schemes receiving notifications in the last few months from Capita that their scheme data was breached, despite having been told back in March 2023 that no breach had occurred. Again, we suspect that this would result in some increase in the perceived risk posed by cyber threats. 

Potentially these factors would result in a UK-focused dashboard concluding that cyber risk is ‘high’ (rather than ‘medium’), and they are certainly relevant factors for schemes to consider (specific to the UK) when allocating risk in their scheme-specific risk registers. On the topic of risk registers, Trustees should ensure to factor in characteristics specific to their scheme (such as the value of the data they hold) when assigning the level of risk to cyber. 

How we can help 

Burges Salmon can assist pension schemes in building their cyber resilience. Our Cyber Security Package offering is designed to meet the cyber security expectations for trustees under TPR’s Cyber Principles and the General Code. Some information about this can be found here: Cyber Security for Pension Schemes legal advice | Burges Salmon Pensions lawyers (burges-salmon.com).

If you are interested in finding out more about our Cyber Security Package offering or anything else cyber security related, please contact Richard Pettit or Samantha Howell

This post was written by Callum Duckmanton and Samantha Howell.