Pensions Regulator Issues Updated Cyber Security Guidance for Trustees in Response to Industry Incidents

The Pensions Regulator (TPR) has issued updated guidance for trustees in response to recent cyber security incidents within the pensions industry, including breaches at Capita and the Pensions Ombudsman, according to an article by Mayer Brown.

The guidance, outlined in TPR’s draft General Code, emphasizes the trustees’ accountability for the security of scheme information and assets. Trustees are expected to understand their scheme’s cyber risk, ensure that those managing technology and data have adequate controls, and effectively manage cyber incidents.

Trustees are required to regularly review and document their assessment of cyber risk, controls, and response plans. TPR emphasizes the importance of having access to cyber risk expertise and actively managing cyber risk with suppliers. The assessment of cyber risk should include understanding the scheme’s digital presence, critical functions, data flow, potential impact of incidents, and vulnerabilities.

To ensure cyber controls are in place, trustees should verify that those handling data or managing systems have measures to reduce the likelihood and impact of incidents, detect them, and respond effectively. In the event of a cyber incident, trustees need a response plan, and major incidents should be followed up with a post-incident review, updating the response plan based on lessons learned.

The guidance also includes recommendations for notifying members of cyber incidents, providing them with relevant information to protect against data breaches, and offering support services. Trustees are encouraged to voluntarily report significant cyber incidents to TPR, even before full investigations are completed. Significant incidents are those likely to result in a substantial loss of member data, major service disruption, or a negative impact on multiple schemes or service providers.