With the pensions industry having direct experience of recent cyber security incidents, the Pensions Regulator (TPR) has updated its guidance for trustees in this area. As a reminder, this year saw Capita suffer a cyber security breach (see our legal update) and the Pensions Ombudsman experienced a cyber incident. This legal update summarises some of the practical steps that TPR expects trustees to take in order to meet expectations in its draft General Code (yet to be finalised).

The trustees' role

As trustees are accountable for the security of scheme information and assets (even though others handle data and manage technology on their behalf), they must:

Understand their scheme's cyber risk.

Make sure that those handling data or managing technology on their behalf have controls in place to reduce the risk of cyber incidents occurring and their impact.

Manage cyber incidents that arise.

Regularly reviewing and keeping records of their assessment of cyber risk, controls and response plans, as well as ensuring they have access to cyber risk expertise, are just some of the steps that TPR expects trustees to take.

More widely, trustees need to ensure that the scheme's cyber risk is appropriately managed by other parties, including suppliers, and it is an area that needs to be actively considered by trustees when selecting suppliers. Processes should include reporting and monitoring the arrangements in place.

Assessing and understanding the scheme's cyber risk

Cyber risk should be assessed and included in the scheme's risk register. This involves understanding:

The scheme's cyber footprint i.e. the digital presence of all parties involved in the scheme.

The scheme's critical functions and the systems and assets needed to deliver these.

Who holds what data, and how and where it flows.

The value to criminals from data theft or corruption, or the interruption of critical services to members.

The type and potential severity of incidents to which the scheme is vulnerable.

The potential impact of a cyber incident on members, the scheme, and where appropriate, the sponsoring employer.

Ensuring cyber controls are in place

Trustees should check that those handling data or managing systems on the trustees' behalf have controls in place to:

Reduce the likelihood and impact of a cyber incident.

Detect cyber incidents.

Respond effectively.

Responding to cyber incidents

A plan setting out how to respond to a cyber incident should be in place and be regularly maintained. Trustees need to check they have sufficient capability to investigate a cyber incident and any incidents should be documented. Major cyber incidents should be followed up with a post-incident review with the scheme's response plan being updated in light of the lessons learned as appropriate. Post-incident monitoring may also be necessary in some cases.

Members should be notified of any cyber incidents and kept up to date while investigations progress. Trustees should direct members to relevant information to help protect them from the effects of a data breach and they could offer support services.

Reporting a cyber incident

TPR is asking trustees and their advisers and providers to report significant cyber incidents to it on a voluntary basis as soon as reasonably practicable. The full investigation into the incident does not need to have been completed before the report is made. A significant cyber incident is one that is likely to result in:

A significant loss of member data.

Major disruption to member services.

A negative impact on a number of other schemes or pension service providers.

Reporting to TPR does not replace trustees' existing legal reporting requirements which include reporting to the Information Commissioner's Office (ICO).

