Articles in Pensions Age and European Pensions this week have highlighted recent research concluding that there has been a 4,000% increase in reported cyber security breaches by UK pension schemes in 2022/23 compared with 2021/22. Such a significant rise in cyber attacks which have been specifically targeting pension schemes clearly emphasises the very real cyber security threat faced by trustees and scheme managers.
Why is there a threat?
Pension schemes hold large volumes of highly sensitive personal information, financial information and, of course, hold significant assets. They also usually have several third-party suppliers involved in the running of schemes. These features make pension schemes particularly attractive to cyber-criminals and, as such, trustees and scheme managers must be conscious of the potential risks if they are to prevent attacks on schemes.
This threat came into sharper focus for the pensions industry earlier this year when Capita was targeted by a cyber-attack, during which data held by the administrator was deemed to have been exfiltrated. As part of the recovery from this, trustees which had used Capita as their administrator were asked by the Pensions Regulator (“TPR”) to provide information about the steps they had taken to ensure their obligations as data controllers had been met.
Current TPR guidance
In 2018, TPR set out its cyber security principles for trustees to follow in terms of their response to growing cyber security threats. However, despite the changes to the cyber landscape since their introduction, these principles have not yet been updated.
TPR has, helpfully, included modules on cyber controls and business continuity in the draft General Code of Practice. Alice Honeywill set out Burges Salmon’s thoughts on the cyber controls module – including thoughts as to what was missing from it – in this article back when the Single Code (as it then was) had not long been published.
Unsurprisingly given the position that the pensions industry now finds itself in, there have recently been increased calls for The Pensions Regulator (TPR) to go further than its current guidance in this area, and to provide greater guidance to trustees and scheme managers.
During their response to the Capita incident, TPR acknowledged that there are ongoing risks in cyber security and emphasised the importance of having “robust cyber security and business continuity policies in place”, but has not yet released specific guidance on what policies and procedures should be followed.
Are there any proposed changes?
The cyber controls and business continuity modules in the forthcoming General Code of Practice arguably don’t go far enough and leave the determination of appropriate steps for cyber security open to interpretation. While the document does emphasise that trustees have responsibilities to consider the risks and take action, it does not provide clarity as to how trustees ensure that these actions are adequate to protect their schemes.
In our experience, cyber security is an area where trustees often feel like they do not have the expertise to assess their third party suppliers and whether their technical and organisational measures follow best practice guidelines. Any further, more specific guidance from TPR would therefore likely be welcomed by trustees and scheme managers; however, a balance would need to be struck between guidance that is helpful but also not too prescriptive (to avoid it becoming out of date quickly given the pace of developments in the cyber security space).
UK pension schemes reported the biggest rise in cybersecurity breaches, according to the research, increasing from six in 2021/22 to 246 in 2022/23.