With the pensions industry having direct experience of recent cyber security incidents, the Pensions Regulator (TPR) has updated its guidance for trustees in this area. As a reminder, this year saw Capita suffer a cyber security breach (see our legal update) and the Pensions Ombudsman experienced a cyber incident. This legal update summarises some of the practical steps that TPR expects trustees to take in order to meet expectations in its draft General Code (yet to be finalised).

The trustees' role

As trustees are accountable for the security of scheme information and assets (even though others handle data and manage technology on their behalf), they must:

  • Understand their scheme's cyber risk.
  • Make sure that those handling data or managing technology on their behalf have controls in place to reduce the risk of cyber incidents occurring and their impact.
  • Manage cyber incidents that arise.

Regularly reviewing and keeping records of their assessment of cyber risk, controls and response plans, as well as ensuring they have access to cyber risk expertise, are just some of the steps that TPR expects trustees to take.

More widely, trustees need to ensure that the scheme's cyber risk is appropriately managed by other parties, including suppliers, and it is an area that needs to be actively considered by trustees when selecting suppliers. Processes should include reporting and monitoring the arrangements in place.

Assessing and understanding the scheme's cyber risk

Cyber risk should be assessed and included in the scheme's risk register. This involves understanding:

  • The scheme's cyber footprint i.e. the digital presence of all parties involved in the scheme.
  • The scheme's critical functions and the systems and assets needed to deliver these.
  • Who holds what data, and how and where it flows.
  • The value to criminals from data theft or corruption, or the interruption of critical services to members.
  • The type and potential severity of incidents to which the scheme is vulnerable.
  • The potential impact of a cyber incident on members, the scheme, and where appropriate, the sponsoring employer.

Ensuring cyber controls are in place

Trustees should check that those handling data or managing systems on the trustees' behalf have controls in place to:

  • Reduce the likelihood and impact of a cyber incident.
  • Detect cyber incidents.
  • Respond effectively.

Responding to cyber incidents

A plan setting out how to respond to a cyber incident should be in place and be regularly maintained. Trustees need to check they have sufficient capability to investigate a cyber incident and any incidents should be documented. Major cyber incidents should be followed up with a post-incident review with the scheme's response plan being updated in light of the lessons learned as appropriate. Post-incident monitoring may also be necessary in some cases.

Members should be notified of any cyber incidents and kept up to date while investigations progress. Trustees should direct members to relevant information to help protect them from the effects of a data breach and they could offer support services.

Reporting a cyber incident

TPR is asking trustees and their advisers and providers to report significant cyber incidents to it on a voluntary basis as soon as reasonably practicable. The full investigation into the incident does not need to have been completed before the report is made. A significant cyber incident is one that is likely to result in:

  • A significant loss of member data.
  • Major disruption to member services.
  • A negative impact on a number of other schemes or pension service providers.

Reporting to TPR does not replace trustees' existing legal reporting requirements which include reporting to the Information Commissioner's Office (ICO).

How can we help you?

While many trustees may already have cyber security structures in place for their schemes, it will be important to check through TPR's updated guidance and consider what other steps would be appropriate. Mayer Brown can assist you in the following ways:

Reviewing cyber security arrangements. We can review the structures you have in place, including your cyber security and data protection policies, your incident response plans, and security or data protection arrangements with third party providers.

Responding to breaches. We can draft, or review, your responses to cyber security breaches, including assessing your reporting requirements. In particular, we can draft or review your communications to the ICO, TPR, other regulators and any affected individuals.

Training. We can support you by running a cyber security session which covers TPR's guidance, and the steps TPR expects trustees to take, to ensure compliance. Cyber security is a fast-developing area and, as recent events show, it is moving closer into the pensions sphere. Therefore keeping up to date with cyber security developments will be important in helping to ensure you have resilient structures in place.

Visit us at mayerbrown.com

Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.

© Copyright 2023. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.