The Pensions Regulator reacts as cyber-attacks on the increase

The Pensions Regulator (TPR) is calling on trustees to report significant cyber-related incidents as part of updated guidance to tackle the ongoing threat posed by cyber criminals.

Pension schemes are at risk of being targeted by cyber-attacks because of the large amounts of personal data and assets they hold.

TPR’s latest guidance helps trustees and scheme managers meet their duties to assess the risk, ensure controls are in place, and respond to incidents. The guidance will also be of use to scheme suppliers and advisers.

For the first time, TPR is asking trustees and scheme providers to report significant cyber incidents, so it can build a better picture of the cyber risk facing the industry and its members.

Cyber risk is complex, evolving and requires a dynamic response

Interim Director of Regulatory Policy, Analysis and Advice Louise Davey said: “Cyber risk is complex, evolving and requires a dynamic response. It’s a very real threat as we have seen from events this year.

“We want industry to work openly and collaboratively together, and with us, to address the challenges of cyber threats and have a clear plan for when things go wrong. Doing so will make us all more resilient to attacks. As part of this, we want to hear about cyber-related incidents so our understanding of issues improves in real time.”

Paul McGlone, partner at Aon, said:

“Although the original Pensions Regulator (TPR) guidance from 2018 has aged well and remains very relevant, we think it’s right that they have refreshed their material to remain as up-to-date as possible. Combined with the new General Code that is due to be launched soon, the message is clear: that TPR expects trustees and scheme managers to take cyber risk seriously, and have plans in place to protect their schemes and members.

“Cyber remains a high priority for pension schemes and sponsors, with many schemes putting it at the top of the risks they are concerned about. Aon’s recent Global Pension Risk survey showed that by January 2023, 14 percent of schemes had already been impacted by a cyber incident. Taking into account the well-publicised incidents impacting on pension schemes during 2023, we expect that figure is now around 20-25 percent.

“We also know that pension schemes are doing more work around cyber resilience than ever before. Whether it’s assessing third party providers or running incident response simulations, we’ve seen more activity in 2023 than any previous year – and many schemes that have so far resisted the urge to deal with cyber risks, have decided that 2023 is the time they need to take it seriously.”