Higher numbers of pension cyber incident reports have increased the response time of the Information Commissioner’s Office (ICO), according to research by law firm Eversheds Sutherland.

The number of cyber incidents reported by the pensions sector to the ICO grew to 284 in the 2023-24 financial year, with informal action taken in three-quarters (76 per cent) of those cases, the firm said.

Data obtained by the firm from the ICO showed that pension-related cyber incidents peaked at 242 in the second quarter of 2023, and informal action was taken on 199 of those. The average time taken to complete informal action reached 249 days.

By contrast, in the third quarter, the number of cyber incidents reported fell to just 13 and only six of those went on to take informal action. The time taken to complete informal action in this context was almost halved to 126 days.

In the first quarter of 2024, there were 26 reports of pension-related cyber incidents, and 10 of those resulted in informal action; the average time between receipt and completion of information action fell by five days.

Eversheds Sutherland partner Claire Carroll said that increases in the reporting of pensions cyber incidents appeared “to have impacted the time required by the ICO for handling those reports".

She said: “Although it appears that business has returned to normal, pension trustees and administrators should keep in mind that cyber incidents impacting large numbers of market participants, may significantly increase the time taken for the ICO to respond to reports.”

Carroll added: “Given the large amounts of personal data held by the pensions industry and the developing case law in this area, trustees and administrators should remain vigilant to the risks of cyber vulnerabilities and consider the advantages of being a first-mover in reporting to the ICO in respect of industry-wide issues.”

Responding to the analysis, an ICO spokesperson told Pensions Age: “We received higher volumes of reports from this sector in mid-2023 following a cyber-attack on Capita.

“Whilst we endeavour to respond to all personal data breach reports as quickly as possible, our response times can be slower than we'd like when dealing with larger volumes.

"We continue to have a robust triage process for each and every report we receive to determine which should progress to a formal investigation and those where other courses of action may be more appropriate.”

---