Lady looking into distance

The Pensions Regulator launches new cyber security guidance

Tim Robinson, Partner, Forensic Services
Lady looking into distance
New voluntary reporting of cyber incidents now included to help improve the understanding of issues affecting schemes.
Pension schemes are attractive targets to cybercriminals due to the significant amount of assets and personally identifiable information (PII) of their members they hold. Coupled with the imperative to pay member’s benefits on time, this makes them particularly vulnerable to extortion via ransomware attacks.

To help fight back the Pensions Regulator (TPR) launched new guidance on Monday 11 December 2023 for pension scheme trustees and scheme managers. It will help them to meet their duties to assess cyber risk, ensure appropriate cyber controls are in place and respond effectively in the event of a cyber incident. The guidance will therefore also be of interest to pension scheme suppliers and advisors, with the former being required to deliver on many aspects of the guidance.

What does it include?

The guidance covers a range of topics and practical steps that are integral to help build cyber resilience and meet the expectations set out in the draft General Code of Practice. These include:

  • what is cyber risk
  • your role
  • assessing and understanding the risk
  • ensuring controls are in place
  • responding to incidents
  • reporting an incident
  • links to more information.

What is new?

In addition to reiterating valuable advice to meet the expectations of the draft General Code, TPR is now asking schemes, their advisers and providers, to report significant cyber incidents to it on a voluntary basis, in an open and cooperative way, as soon as reasonably practicable.

A significant cyber incident is likely to result in:

  • a significant loss of member data
  • a disruption to member services
  • a negative impact on a number of other pension schemes or pension service providers.

This follows the action taken by TPR earlier in 2023 when it wrote to trustees whose schemes were impacted by the cyber attack on Capita, reminding them of their existing legal reporting responsibilities and asking to be kept up to date as the cyber investigation progressed.

The message from TPR

Louise Davey, Interim Director of Regulatory Policy, Analysis and Advice at TPR commented on the guidance:

“Cyber risk is complex, evolving and requires a dynamic response. It’s a very real threat as we have seen from events this year.

"We want industry to work openly and collaboratively together, and with us, to address the challenges of cyber threats and have a clear plan for when things go wrong. Doing so will make us all more resilient to attacks.

"As part of this, we want to hear about cyber-related incidents so our understanding of issues improves in real time.”

Need further support?

The guidance will help many to understand what activities they need to do now, and in the future, to respond to the complex and rapidly evolving threat. However, trustees should continue to review whether they have access to genuinely specialist advice concerning how to properly protect their pension schemes and meet the expectations of the General Code.

The Forensic Services team at Crowe are specialists in this area and work with a range of schemes to understand and meet the requirements of TPR. Please contact Tim Robinson if you would like to discuss the new guidance and how it impacts your scheme.

Contact us

Tim Robinson
Tim Robinson
Partner, Forensic Services