A new report published details how TPR worked closely with the administrator and scheme trustees following the incident in March 2023 to assess the risk to pension schemes and their members.
TPR took action to ensure Capita was doing as much as possible to identify the extent of any impact on schemes, and then to inform trustees of affected schemes and their members so that protective measures could be taken.
TPR also contacted the trustees of schemes administered by Capita to highlight the steps it expected trustees to take. These included communicating with their members and meeting their obligations as data controllers.
This engagement was part of a multi-pronged approach, with TPR sharing appropriate information with other regulatory parties, including the Financial Conduct Authority, the Prudential Regulation Authority, the Information Commissioner’s Office (ICO) and the National Cyber Security Centre.
Executive Director of Frontline Regulation, Nicola Parish, said: “Today’s report into the Capita cyber security incident clearly demonstrates the rapid action we take to protect savers.
“The incident also highlighted the importance of trustees having robust cyber security and business continuity plans in place. We expect a scheme’s cyber security and business continuity plan to cover a range of scenarios so that, if an incident occurs, trustees can ensure the safe and swift resumption of operations.
“If trustees outsource administration, they are still responsible for ensuring scheme obligations towards members are met and that data is handled properly.”
Revised cyber security guidance
Pension schemes are at risk of being the target of cyber-attacks because of the large amounts of personal data and assets they hold. In December 2023, TPR published revised cyber security guidance to help trustees and scheme managers meet their duties to assess the risk, ensure controls are in place, and respond quickly to incidents. The guidance is also of use to scheme suppliers and advisers.
For the first time, TPR is asking trustees and scheme providers to report cyber incidents on a voluntary basis, so it can build a better picture of the cyber risk facing the industry and its members.
Last month, TPR published its new general code setting out what it expects of a scheme to maintain an effective system of governance. This brought together many key aspects of running a scheme, including cyber controls. The detail of what constitutes an effective system of governance will be dependent on the size and complexity of the scheme.
|
