The Pensions Regulator (TPR) has stressed the need for pension schemes' cyber security and business continuity plans to cover a range of scenarios to ensure the safe and swift resumption of operations if an incident should occur.
The comments were made as part of TPR's report on the 2023 Capita cyber security incident, which is estimated to have cost Capita around £25m, as well as causing disruption to their operations and potential reputation damage.
In the report, TPR highlighted Capita's cyber incident as evidence of the importance of having preventative measures in place and ensuring that trustees or managers of pension schemes and their providers have robust cyber security and business continuity plans.
This includes understanding third-party suppliers’ incident processes, including how and when trustees would be informed of a cyber incident at the supplier.
TPR also stressed that even if trustees outsource administration, they are still responsible for ensuring scheme obligations towards members are met, and as data controllers are still liable for ensuring that data is handled properly.
Where there is a risk to the saver, TPR said that it may get involved to understand the risks and how they are to be mitigated, arguing that timely and open communications with those that may have been affected by an incident are crucial so that individuals can be alert to the potential misuse of their data, including any personal data, through scams and fraudulent activity.
Indeed, TPR's report revealed that there were several communications challenges in the Capita incident, as the company sought to contact scheme trustees and members affected by the cyber security incident.
Learning from Capita’s experience, TPR said that trustees should not underestimate the amount of work involved in this type of exercise and should factor this in as part of effective contingency planning.
"The aftermath of a cyber security incident can involve reviewing a vast amount of structured and unstructured data and files, with a material impact on resource requirements to identify what data may have been compromised," it stated.
"Managing data carefully and minimising the level of unstructured data will help ensure responding to a cyber incident can be undertaken as efficiently as possible."
TPR also said that trustees should not wait for these investigations to be resolved to contact members if there is a reasonable chance their data is at risk.
The regulator also clarfiied that trustees may continue to have responsibility for data stored by third parties, even if a third party is no longer actively involved with the scheme, noting that some of the exfiltrated data related to schemes that Capita no longer administered (ex-clients) but for contractual and other reasons, Capita were required to keep a copy of the scheme’s data, including where a scheme may have wound up.
TPR was able to provide support to Capita in making contact with those schemes.
However, TPR said that, in other circumstances, its ability to reach out to, and support, pension scheme trustees promptly was delayed in some cases by trustees failing to keep their contact information up to date.
TPR revealed that there were also delays as some schemes chose to develop bespoke member communications, despite the regulator working with Capita to develop template wording, including appropriate scams warnings, which trustees could use to communicate with their members.
"In our view, prompt communication should be prioritised so members are informed and can take steps to protect themselves as soon as possible," TPR stated.
Commenting on the report more broadly, TPR executive director of frontline regulation, Nicola Parish, said: “Today’s report into the Capita cyber security incident clearly demonstrates the rapid action we take to protect savers.
“The incident also highlighted the importance of trustees having robust cyber security and business continuity plans in place. We expect a scheme’s cyber security and business continuity plan to cover a range of scenarios so that, if an incident occurs, trustees can ensure the safe and swift resumption of operations.
“If trustees outsource administration, they are still responsible for ensuring scheme obligations towards members are met and that data is handled properly.”
Recent Stories