Trustees must demand clearer evidence of cyber resilience from their administrators in the wake of escalating national cyber risks, Trafalgar House has warned.

The pensions administrator outlined what it described as “best practice” for trustee oversight following the National Cyber Security Centre's (NCSC) issuance of fresh warnings about sustained cyber pressure across the UK.

The NCSC reported that nationally significant cyberattacks have more than doubled over the past year, with recent incidents at Marks & Spencer, Harrods, and the Co-op highlighting the severe financial and reputational damage that breaches can cause.

The warning was followed by the release of the NCSC’s updated Cyber Assessment Framework, which was published in response to what it described as a “growing threat landscape”.

And the pensions industry is no exception, as Trafalgar House director, Daniel Taylor, stressed that trustees should view cyber resilience as a central governance duty.

However, he acknowledged the challenge of knowing what effective oversight looks like in practice, admitting that "trustees increasingly recognise that cyber resilience is a critical governance responsibility, but it can be difficult to judge what good looks like".

“One of the most valuable steps they can take is to ask their administrators the right questions," he continued.

"Are defences being tested on a regular basis? Are vulnerabilities identified and resolved quickly? Can recovery procedures be proven and evidenced? Trustees should expect clear reporting on these points, not generic risk scores.”

Taylor argued that administrators should be able to demonstrate transparency, citing practical indicators such as continuous threat monitoring, evidence of resolved vulnerabilities, recovery testing results, and staff readiness exercises.

“These are the practical indicators that give trustees assurance and allow them to hold providers to account,” he added.

He further warned that the wave of attacks against household names should serve as a "stark reminder" to those involved in schemes of what is at stake.

“The recent cyberattacks affecting large firms such as Marks & Spencer, Harrods and the Co-op are a powerful reminder of how damaging these incidents can be, not only financially but also in terms of public trust," he stated.

"For trustees, the lesson is clear: cyber resilience must stay high on the agenda, and it starts with demanding the right evidence from your providers."

The intervention comes amid heightened scrutiny of digital resilience across the financial services sector, with government reviews highlighting serious gaps in critical systems.

Trafalgar House said the onus was now on trustees to ensure they had visibility into how their schemes were being protected, warning that without such oversight, they risked being unable to respond effectively to emerging threats.

The warning aligns with The Pensions Regulator’s existing guidance, which has urged trustees to treat cybersecurity as an integral part of scheme governance and to ensure that robust incident response planning is in place.

The NCSC has similarly advised boards and senior decision-makers to ensure that cyber resilience is not only measured in technical defences but also in tested recovery plans, robust staff training and clear accountability at the leadership level.

Meanwhile, the Pensions Administration Standards Association (PASA) has urged trustees, administrators, and providers to adopt a "proactive and dynamic" approach to data, sharing new guidance on improving data security and governance.

---