In March 2023, Capita suffered a serious cyber security breach in which customer data was exfiltrated. This cyber-attack affected thousands of pension holders who had their personal data compromised. For more information about the Capita cyber incident, please see our previous blog on the topic.

Whilst many – particularly those pension schemes that were lucky enough not to be impacted – may think of this incident as recent history, for Capita and many of the pension schemes that were impacted the effects of the cyber incident are still being felt more than one year on. 

Costs of the cyber breach for Capita

It has been estimated that Capita’s costs associated with the incident are up to £25m. Capita has also evidently suffered reputational damage, potential loss of business and customers, as well as increased regulatory scrutiny and investigations from the ICO and the Pensions Regulator (“TPR”).

TPR’s involvement was made public earlier this year in its “Regulatory Intervention Report” published on 2 February 2024. For more information about the report, please see our previous blog on the topic.

Claims against Capita

But the consequences have not stopped there, as litigation is now a reality. On 12 January 2024, a claim was filed in the High Court against Capita for the breach on behalf of over 5,000 pension holders. 

Barings Law, the law firm representing the claimants, said its own investigations found “alarming potential breaches” and that their “High Court action speaks volumes”. They have estimated that the claim could be worth up to £5m. Capita has however denied that there is any basis for legal action and in a statement in the Telegraph said: “We strongly reject any suggestion that there is any valid basis for bringing a claim against [the company].”

It will be interesting to see how this claim progresses through the Courts. 

Ongoing developments

Capita had also instructed a third party to carry out a forensic investigation into the incident, which we understand has now been completed (or has nearly completed). We are aware that a number of pension schemes have been contacted since the completion of these forensic investigations:

• in some cases, schemes that were previously affected were contacted to be told that the breach was worse than they had previously been told (i.e. additional members or data were impacted); 
• some schemes that were previously told that they had not been affected by the cyber incident were told that they had in fact been victims of the security breach (around a year after the original incident). 

Our recommendation is for all pensions schemes to have cyber risk on their risk registers. For schemes who use Capita as their administrators (or former administrators), we recommend being prepared to act in case you are told that the cyber incident did indeed affect your scheme (when you previously understood that you were not impacted) or that your scheme was impacted more significantly than initially thought. 

Comment

The Capita breach has emphasised how important cyber security is within the pensions industry – with TPR stating in their intervention report that “trustees should not underestimate the amount of work involved in this type of exercise and should factor this in as part of effective contingency planning”. 

Trustees should also not underestimate the significant consequences which may follow a cyber incident – with Capita experiencing financial, reputational and legal harm on an ongoing basis (over a year after the breach happened). 

Now, more than ever, it is vital that pension schemes and related bodies ensure they have robust cyber policies and practices in place to best protect themselves from cyber threats and attacks. Burges Salmon can assist pension schemes in building their cyber resilience. The best thing pension scheme trustees can do is prepare, prepare, prepare.

How can we help?

Our Cyber Security Package offering is designed to meet the minimum cyber security expectations for trustees under TPR’s Cyber Principles and the General Code. Some information about this can be found in our Cyber Security Compliance Trustee Checklist. Details of our experience in advising pension schemes in relation to cyber security can be found on our dedicated webpage.  

If you are interested in finding out more about our Cyber Security Package offering or anything else cyber security related, please contact Richard Pettit or Samantha Howell.