[co-author: Oliver Jones]

The Pensions Regulator (TPR) has published a regulatory intervention report outlining how they worked with Capita following a cyber incident last year (see our legal update), and detailing the key steps trustees should take in the event of a cyber security incident. The report follows TPR updating its guidance for trustees on cyber security in December 2023 (see our legal update).

With the cost to Capita estimated at £25 million, the report underlines the importance of ensuring that effective preventative measures are in place, along with robust response plans if a cyber incident does occur. The report also highlights that trustees are responsible for ensuring scheme obligations to members are met if they outsource administration, and that they, as data controllers, are liable for ensuring that personal data is handled properly.

Responding to a cyber security incident

As part of the report, TPR has published guidance which trustees should follow in the immediate aftermath of a cyber incident:

• Communicate with the employer, administrator and service providers – trustees should communicate with the employer, administrator and other service providers to understand how the scheme and members are affected. Trustees should prioritise understanding whether there is likely to be disruption to the payment of benefits, retirement processing and bereavement services.
• Notify TPR as appropriate – trustees are legally required to report breaches of pensions law where these are likely to be of material significance to TPR. This includes where these arise from a cyber incident, for example, if it leaves trustees unable to process core transactions promptly and accurately, such as benefit payments. However, TPR has also said that they are keen to work with the industry to share good practice and insight and ensure that savers are adequately protected. TPR has therefore asked that schemes, their advisers and providers report significant incidents to them on a voluntary basis, in an open and co-operative way, as soon as reasonably practicable.
• Notify the Information Commissioner's Office (ICO) if required – reporting to TPR does not satisfy the legal requirement to report personal data breaches to the ICO. This must be done without undue delay and, where feasible, within 72 hours if the breach meets the threshold for reporting. Trustees, as data controllers, must notify the ICO if the breach is likely to result in a risk to the rights and freedoms of individuals. Failure to notify a breach when required to do so can result in a significant fine of up to £8.7 million (or 2% of global turnover).
• Restore key services – trustees should establish whether key services and interfaces with other parties can be operated safely. When it is safe to do so, key services should be restored. Members and regulators should also be kept informed regarding the ability to provide these services.
• Safeguard members' benefits – trustees should consider whether any immediate actions are required to safeguard members' benefits. This could include changes to security procedures to combat identity fraud where hackers use personal data to gain access to pension benefits.
• Communicate with members – trustees should communicate with members and signpost them to appropriate guidance, like the National Cyber Security Centre (NCSC) guidance for individuals on data breaches, so that they can take the necessary actions to protect their personal information. Trustees, as data controllers, are obligated to inform affected individuals without undue delay if a personal data breach is likely to result in a high risk to their rights and freedoms.
• Monitor increased or unusual transfer requests – trustees should monitor for increased or unusual transfer requests taking place. Members will be concerned about the security of their data, which might lead them to decide to transfer out of the scheme. Members should be provided with all relevant information and notified of any risks to ensure they are well informed before transferring to another scheme.
• Warn members about pension scams – trustees should warn members against pension scams, as TPR believe that trustees and administrators are the first line of defence against pension scammers.
• Contact the NCSC – if a scheme is subject to a significant cyber security incident, the trustees should contact the NCSC for support. Timely engagement with the NCSC may result in a more favourable regulatory response from regulators such as the ICO.

How can we help you?

• Responding to breaches – we can assist you with responses to cyber security breaches, including assessing your reporting requirements. We can also assist with drafting or reviewing your communications to the ICO, TPR, and any affected individuals.
• Reviewing cyber security arrangements – it is important that cyber security and data protection arrangements are kept under review. We can assist you by reviewing your cyber security and data protection policies, the processes that you have in place (including incident response plans), and security or data protection arrangements with third party providers.
• Training and testing – cyber security is a rapidly developing area, which, as recent events show, the pensions industry is not immune from. Keeping up to date with cyber security developments is key to ensuring that you have resilient measures in place. We can assist by providing you with training or knowledge update sessions.

[View source.]