A coordinated, market-wide approach to cyber resilience and operational readiness is needed if the pensions industry wants to protect members and maintain stability, Trafalgar House has said, arguing that cyber resilience is the "weakest link" in pensions and can no longer be ignored.

The Pensions Regulator’s latest market oversight report on administrator relationships, published last month, emphasised the importance of admin in member experiences, stressing the need for trustees and administrators to work together to deliver even higher standards and help achieve better outcomes for savers.

However, Trafalgar House said that the report also exposed a growing fault line; cyber resilience across the pensions administration market is wildly inconsistent.

"Some administrators are ahead of the game, operating mature frameworks, with regular penetration testing, proactive governance, and certifications such as ISO 27001 and ISO 22301. Others, frankly, are nowhere near," Trafalgar House client director, Daniel Taylor, said.

"This isn’t a technical detail, it’s a fundamental threat to the security of millions of savers’ personal and financial data. The pensions sector is effectively running on a “weakest link” model and hoping it holds.

“If the industry wants to protect members, safeguard trust, and maintain stability, we need a coordinated, market-wide approach to cyber resilience and operational readiness."

Taylor explained that this would require standardisation, with clear, minimum expectations for cyber maturity needed across the market, aligned to trusted frameworks.

In addition to this, Taylor said that assessment and accreditation are needed to make cyber readiness a core component of administrator selection, onboarding and ongoing review, not just a tick-box question in a due diligence pack.

He also stressed the need for industry to support, not just scrutinise, those who are falling behind, emphasising that smaller or less mature administrators must be given the tools, guidance, and resources to meet the bar, not left behind without a path to improvement.

“If we get this wrong, regulation won’t raise the bar, it’ll accelerate market exits at a time when the sector is already consolidating at pace," he continued.

“The report makes one uncomfortable truth clear: a lack of investment always shows up. It manifests in underdeveloped governance, stretched systems, missed SLAs, and members left waiting too long for basic answers about their pensions.

“Cyber security and operational resilience aren’t optional extras, they are the foundations of a functioning pensions system. If we talk about administration as critical to member outcomes, it’s time to act like we believe it. That means backing accreditation, raising cyber standards and funding the future.”

The focus on cybersecurity has been renewed in recent weeks, following the news that the Information Commissioner’s Office (ICO) issued a fine of £14m to Capita for failing to ensure the security of personal data related to a 2023 breach that saw hackers steal millions of people’s information.

---