The Pensions Regulator (TPR) should provide clearer cyber risk guidance, including examples of best practice and practical steps for trustees and scheme managers, RSM UK has said.

The firm noted that TPR's cyber security principles were last issued in 2018, while the forthcoming General Code guidance for cyber controls is “open to interpretation”.

“While it puts great emphasis on what trustees’ responsibilities are, it gives little reference to practical steps to remain compliant,” RSM UK cyber risk partner, Stuart Leach, explains.

“Trustees and scheme managers often have limited expertise in this area, and broader cyber training to educate trustees on how to meet their obligations should be mandatory."

Given these concerns, and an increasing threat of cyber-attacks, Leach argued that some prescriptive guidance, providing solid examples of what trustees should do to protect their members would be welcome.

Further guidance could also aid in enforcement, as Leach explained: "While the Information Commissioner’s Office can impose fines and penalties for negligence leading to a data breach, it’s currently unclear how these would be applied, when practical guidelines for trustees are not in place.

"If a scheme suffers a cyber-attack or data breach due to a third-party error, trustees are still accountable, despite the lack of clarity on best practice."

Leach suggested that lessons could also be learnt by replicating the approach taken by other sectors, pointing out that sectors such as financial services have already enhanced their cyber security by providing prescriptive minimum standards on cyber controls and risk management.

"As these sectors have matured, cyber security standards have also evolved towards a risk and threat-based approach," he continued.

"This enables organisations to be more agile when managing specific cyber risks. This approach would provide much needed clarity for trustees, and could be considered by TPR to aid adoption and compliance of the General Code’.

This is not the first call for clearer cyber guidance, as Unison also recently wrote to TPR to press for stronger protections to ensure that members’ pensions are safe, after the Capita cyber incident earlier this year.

The union stressed that among the data that has been compromised is information entrusted to Capita by some 450 pension schemes, with some Unison members in the affected schemes.

Share Story: