The Pensions Regulator (TPR) has updated its cyber security guidance to help tackle the ongoing threat posed by cyber criminals, urging pension scheme trustees to report significant cyber-related incidents.
In its guidance, TPR noted that pension schemes are at risk of being targeted by cyber-attacks because of the large amounts of personal data and assets they hold, stressing that trustees and scheme managers are accountable for the security of scheme information and assets.
Given this, the revised guidance aims to help trustees and scheme managers meet their duties to assess the risk, ensure controls are in place, and respond to incidents. It is also expected to be of use to scheme suppliers and advisers.
In particular, TPR has, for the first time, asked trustees and scheme providers to report significant cyber incidents, so it can build a better picture of the cyber risk facing the industry and its members.
"We are keen to work with the industry to ensure that savers are adequately protected, and share good practice and insight. Open and transparent dialogue is particularly important for handling cyber risk," TPR stated in the guidance.
"We are asking schemes, their advisers and providers to report significant cyber incidents to us on a voluntary basis, in an open and co-operative way, as soon as reasonably practicable. You do not need to conduct the full incident investigation before reporting to us."
However, TPR clarified that reporting an incident the regulator does not replace existing legal requirements, such as the need to report a personal data breach to the Information Commissioner's Office (ICO) without undue delay.
The guidance also emphasised that trustees are legally required to report breaches of pensions law where these are likely to be of material significance, including where these arise from a cyber incident, for example if it leaves the scheme unable to process core transactions promptly and accurately, such as benefit payments.
Commenting on the new guidance, interim director of regulatory policy, analysis and advice, Louise Davey, said: “Cyber risk is complex, evolving and requires a dynamic response. It’s a very real threat as we have seen from events this year.
“We want industry to work openly and collaboratively together, and with us, to address the challenges of cyber threats and have a clear plan for when things go wrong. Doing so will make us all more resilient to attacks.
"As part of this, we want to hear about cyber-related incidents so our understanding of issues improves in real time."
Recent Stories