The Pensions Regulator (TPR) has issued an update on lessons on dealing with cyber crime learnt from pension administrator Capita’s cyber security incident last year.
In a report published today TPR says trustees should not wait for investigations to be resolved to contact members if there is a reasonable chance their data is at risk. It adds trustees should not underestimate the amount of work involved in this type of exercise and should factor this in as part of effective contingency planning.
On 31 March 2023, Capita became aware of a cyber security incident, which resulted in data being accessed. TPR engaged with Capita throughout the weekend. On 3 April 2023, Capita reported that there had been disruption to some services provided to individual clients’ pension schemes..
As Capita continued to investigate the incident, it released a further public update on 20 April 2023, explaining that it were working with specialist advisers and forensic experts to investigate the incident. This revealed that the incident appeared to have arisen as a result of unauthorised access on or around 22 March 2023, and was interrupted by Capita on 31 March 2023 as soon as they became aware of it. At that time, it was thought that the incident had potentially affected about 4 per cent of Capita’s server estate, which could include customer, supplier or colleague data. Capita subsequently revised this figure to less than 0.1 per cent of its server estate. The company noted in its half year results published on 4 August 2023 that it expected to incur exceptional costs of between £20 million and £25 million associated with the cyber security incident, including the complex forensic analysis.
TPR says it supported Capita in developing template wording, including appropriate scams warnings, which trustees could use to communicate with their members. Some schemes chose to develop bespoke member communications which, in some cases, led to delays. TPR says prompt communication should be prioritised so members are informed and can take steps to protect themselves as soon as possible.
Executive director of frontline regulation, Nicola Parish, says: “The incident highlighted the importance of trustees having robust cyber security and business continuity plans in place. We expect a scheme’s cyber security and business continuity plan to cover a range of scenarios so that, if an incident occurs, trustees can ensure the safe and swift resumption of operations.
“If trustees outsource administration, they are still responsible for ensuring scheme obligations towards members are met and that data is handled properly.”
Key steps trustees should take in the event of a cyber security incident
- Communicate with the employer, administrator or other service provider to understand how the scheme/members are impacted. As a priority, trustees should understand whether there is likely to be any disruption to payment of benefits, retirement processing and bereavement services.
- Notify TPR as appropriate and the ICO if required if any personal data is involved.
- We are keen to work with the industry to ensure that savers are adequately protected, and share good practice and insight. In December 2023 we updated our cyber guidance and we are asking schemes, their advisers and providers to report significant cyber incidents to us on a voluntary basis, in an open and co-operative way, as soon as reasonably practicable.
- Trustees are also legally required to report breaches of pensions law where these are likely to be of material significance to us. This includes where these arise from a cyber incident, for example if it leaves you unable to process core transactions promptly and accurately, such as benefit payments.
- Reporting to us does not replace trustees existing legal requirements, such as to report a personal data breach to the ICO without undue delay (if it meets the threshold for reporting) and within 72 hours.
- Establish whether key services and interfaces with other parties can be operated safely. Restore key services when it is safe to do so, keeping members and regulators informed on the ability to provide these services.
- Consider whether any immediate actions are required to safeguard members’ benefits. This could include changes to security procedures to combat identify fraud where hackers use personal data to gain access to pension benefits.
- Communicate with members and signpost to appropriate guidance so they can take the necessary actions to protect their personal information.
- Direct members to the National Cyber Security Centre guidance for individuals on data breaches. If a scheme is subject to a significant cyber security incident, the trustees and/or scheme managers should contact the NCSC for support.
- Monitor increased or unusual transfer requests. Members will be concerned about the security of their data, which might lead them to decide to transfer out of the scheme. Members should be provided with all relevant information and notified of any risks to ensure they are well informed before transferring to another scheme.
- Warn members about pension scams. We believe that trustees and administrators are the first line of defence against pension scammers.