Regulators may not be as joined up on cyber risks as you think, according to Eversheds Sutherland. The firm’s Richard Bacon, Claire Carroll and Lorna Doggett explore what this means for pension scheme trustees.
While media attention is currently focused on the potential investment power of pension schemes, cyber criminals continue to apply their trade to the industry.
A recent report by the Information Commissioner’s Office (ICO), which was not limited to the pensions industry, reflected on the ICO’s experiences and highlighted the most significant cyber threats to organisations in the UK.
These included malware and ransomware, phishing, brute force attacks, denial of service, errors, and supply chain attacks.
By analysing ICO data, we have established that, across 2023 and the first half of 2024, the pensions industry reported hundreds of cyber incidents to the ICO. The ICO took action, including providing informal advice, in respect of the majority of those cases.
In contrast, however, via a Freedom of Information Act request in July this year the Pensions Regulator (TPR) stated that it did not hold records of any cyber incidents having been reported to it in the past five years.
On the face of it, this seems like a significant contrast. The explanation likely lies in the different scope and reporting requirements of each regulator.
Contrasting approaches
The ICO regulates all data controllers and processors, including administrators, and has a mandatory requirement that personal data breaches are reported by controllers within 72 hours, unless a breach is unlikely to pose a risk to individuals’ rights and freedoms.
Controllers that fail to notify the ICO in accordance with those requirements will be in breach of a legal requirement, which could result in significant fines and/or other ICO enforcement.
In contrast, TPR only directly regulates pension schemes. Under its latest guidance – published in December 2023 – schemes, advisers and providers are asked to report significant cyber incidents on a voluntary basis.
‘Significant’ for these purposes means a cyber incident likely to result in a significant loss of member data, major disruption to member services, or a negative impact on a number of other pension schemes or service providers.
(This does not reduce trustees’ duties to report breaches of pensions law, which are likely to be of material significance to TPR or master trusts’ significant event notification requirements, for example where a cyber incident results in an inability to pay benefits).
Readers may be aware that many regulators share a “memorandum of understanding”, under which they set out their arrangements for cooperation and coordination in overlapping areas.
In response to a Freedom of Information Act request, TPR confirmed to us that it does not have a memorandum of understanding in place with the ICO, although we think it likely the regulators do share data when they need to.
For example, it’s clear from joint guidance released by the TPR, ICO and Financial Conduct Authority about marketing versus regulatory communications, issued in November 2024, that the regulators do liaise on policy matters.
How to manage risk
So where does this leave trustees, advisers and providers who are subject to a cyber incident?
While there should not be a blanket policy of reporting every cyber incident to TPR, consideration should be given to whether that is appropriate for significant incidents, particularly where the requirements for a TPR notification are, or even could be, triggered.
Where a report is made to both the ICO and TPR, those reports should be consistent, made at the same time, should also reflect any incident reports to members, and should ensure that they do not contain anything which could be prejudicial in the context of future litigation.
Richard Bacon is a principal associate and Lorna Doggett and Claire Carroll are partners at Eversheds Sutherland.
