Over a third of pension schemes suffer data breaches in past year

Over a third (35 per cent) of trustees and employers say their pension schemes have suffered a data breach in the past year, according to research from Sackers.

The specialist pension law firm’s research, conducted in advance of an online litigation team webinar, found that less than half (45 per cent) of these breaches were reported to the Information Commissioners Office (ICO).

Exploring the fallout from data breaches, Sackers noted that the media were “far more interested in data security issues within the pensions industry than you might think”, noting that reporting on the issue by the press tended to be primarily sympathetic towards members.

Sackers senior counsel, Arshad Khan, commented: “The pensions industry is firmly in the sights of the media and seemingly public interest too when it comes to data security. And the headlines can be emotive, giving many the impression that the industry is not on top of the situation.

“But the pensions industry is no different to any other industry, and breaches or cyber attacks do and will continue to happen to everyone, including schemes, such as those in our survey, and government bodies such as the Department for Work and Pensions, The Pensions Regulator (TPR) and HMRC too.

“Headlines tend to be grabbed by breaches resulting from criminal activity, something that has become increasingly commonplace over the last year. But most breaches are down to errors, either human or systematic in origin. That is why TPR has identified that a scheme’s internal controls need to include measures to reduce cyber risk.”

When a breach is encountered, Sackers noted that it was important to alert the ICO and TPR quickly, as well as giving the organisations updates on any unfolding situation.

The firm added that it was worth bearing in mind that there was “no single answer” to where things might end up after the reporting of a data breach, as the situation could escalate to any one of the ICO, TPR, the courts or the Pensions Ombudsman.

As such, it was recommended that schemes which had suffered a data breach sought to manage the situation with correct communication, noting that it was “crucial” to ensure the correct information was getting to the right parties, such as decision-makers, at the correct times.

Khan concluded: “The risk of prosecution and fines from the ICO is real and they don’t need to be headline grabbing seven figure fines to cause trustees concern.

“The key message is to ensure that you have good scheme governance and controls in place across all aspects of data management and cyber security, in order to minimise potential damage to members and the scheme’s reputation and finances should a breach happen. This is one critical responsibility that trustees cannot delegate away!”

    Share Story:

Recent Stories


Closing the gender pension gap
Laura Blows discusses the gender pension gap with Scottish Widows head of workplace strategic relationships, Jill Henderson, in our latest Pensions Age video interview

Endgames and LDI: Lessons to be learnt
At the PLSA Annual Conference, Laura Blows spoke to State Street Global Advisors EMEA head of LDI, Jeremy Rideau, about DB endgames and LDI in the wake of the gilts crisis of two years ago

Keeping on track
In the latest Pensions Age podcast, Sophie Smith talks to Pensions Dashboards Programme (PDP) principal, Chris Curry, about the latest pensions dashboards developments, and the work still needed to stay on track
Building investments in a DC world
In the latest Pensions Age podcast, Sophie Smith talks to USS Investment Management’s head of investment product management, Naomi Clark, about the USS’ DC investments and its journey into private markets

Advertisement