The Pensions Regulator (TPR) reacted swiftly to ensure thousands of savers were protected when pension administrator Capita suffered a cyber security incident last year.
A new report published today details how TPR worked closely with the administrator and scheme trustees following the incident in March 2023 to assess the risk to pension schemes and their members.
TPR took action to ensure Capita was doing as much as possible to identify the extent of any impact on schemes, and then to inform trustees of affected schemes and their members so that protective measures could be taken.
TPR also contacted the trustees of schemes administered by Capita to highlight the steps it expected trustees to take. These included communicating with their members and meeting their obligations as data controllers.
This engagement was part of a multi-pronged approach, with TPR sharing appropriate information with other regulatory parties, including the Financial Conduct Authority, the Prudential Regulation Authority, the Information Commissioner’s Office (ICO) and the National Cyber Security Centre.
Executive Director of Frontline Regulation, Nicola Parish, said: “Today’s report into the Capita cyber security incident clearly demonstrates the rapid action we take to protect savers.
“The incident also highlighted the importance of trustees having robust cyber security and business continuity plans in place. We expect a scheme’s cyber security and business continuity plan to cover a range of scenarios so that, if an incident occurs, trustees can ensure the safe and swift resumption of operations.
“If trustees outsource administration, they are still responsible for ensuring scheme obligations towards members are met, and data is handled properly.”
Revised cyber security guidance
Pension schemes are at risk of being the target of cyber-attacks because of the large amounts of personal data and assets they hold.
In December 2023, TPR published revised cyber security guidance to help trustees and scheme managers meet their duties to assess the risk, ensure controls are in place, and respond quickly to incidents. The guidance is also of use to scheme suppliers and advisers.
For the first time, TPR is asking trustees and scheme providers to report cyber incidents on a voluntary basis, so it can build a better picture of the cyber risk facing the industry and its members.
Last month, TPR published its new general code setting out what it expects of a scheme to maintain an effective system of governance. This brought together many key aspects of running a scheme, including cyber controls. The detail of what constitutes an effective system of governance will be dependent on the size and complexity of the scheme.
Notes for editors
- While TPR does not directly regulate administrators, it regulates how trustees govern their pension schemes, including relationships with administrators.
- TPR is the regulator of workplace trust-based pension schemes in the UK. Our statutory objectives are to:
- protect members’ benefits
- reduce the risk of calls on the Pension Protection Fund
- promote, and to improve understanding of, the good administration of work-based pension schemes
- maximise employer compliance with automatic enrolment duties
- minimise any adverse impact on the sustainable growth of an employer (in relation to the exercise of the regulator’s functions under Part 3 of the Pensions Act 2004 only)
Press contacts
Out of hours
This is for journalists only with a media enquiry. The below number will divert to our on call media officer.pressoffice@tpr.gov.uk
01273 648496