Over a third (35 per cent) of trustees and employers say their pension schemes have suffered a data breach in the past year, according to research from Sackers.

The specialist pension law firm’s research, conducted in advance of an online litigation team webinar, found that less than half (45 per cent) of these breaches were reported to the Information Commissioners Office (ICO).

Exploring the fallout from data breaches, Sackers noted that the media were “far more interested in data security issues within the pensions industry than you might think”, noting that reporting on the issue by the press tended to be primarily sympathetic towards members.

Sackers senior counsel, Arshad Khan, commented: “The pensions industry is firmly in the sights of the media and seemingly public interest too when it comes to data security. And the headlines can be emotive, giving many the impression that the industry is not on top of the situation.

“But the pensions industry is no different to any other industry, and breaches or cyber attacks do and will continue to happen to everyone, including schemes, such as those in our survey, and government bodies such as the Department for Work and Pensions, The Pensions Regulator (TPR) and HMRC too.

“Headlines tend to be grabbed by breaches resulting from criminal activity, something that has become increasingly commonplace over the last year. But most breaches are down to errors, either human or systematic in origin. That is why TPR has identified that a scheme’s internal controls need to include measures to reduce cyber risk.”

When a breach is encountered, Sackers noted that it was important to alert the ICO and TPR quickly, as well as giving the organisations updates on any unfolding situation.

The firm added that it was worth bearing in mind that there was “no single answer” to where things might end up after the reporting of a data breach, as the situation could escalate to any one of the ICO, TPR, the courts or the Pensions Ombudsman.

As such, it was recommended that schemes which had suffered a data breach sought to manage the situation with correct communication, noting that it was “crucial” to ensure the correct information was getting to the right parties, such as decision-makers, at the correct times.

Khan concluded: “The risk of prosecution and fines from the ICO is real and they don’t need to be headline grabbing seven figure fines to cause trustees concern.

“The key message is to ensure that you have good scheme governance and controls in place across all aspects of data management and cyber security, in order to minimise potential damage to members and the scheme’s reputation and finances should a breach happen. This is one critical responsibility that trustees cannot delegate away!”

Share Story: