With the pensions industry having direct experience of recent cyber security incidents, the Pensions Regulator (TPR) has updated its guidance for trustees in this area. As a reminder, this year saw Capita suffer a cyber security breach (see our legal update) and the Pensions Ombudsman experienced a cyber incident. This legal update summarises some of the practical steps that TPR expects trustees to take in order to meet expectations in its draft General Code (yet to be finalised).
The trustees’ role
As trustees are accountable for the security of scheme information and assets (even though others handle data and manage technology on their behalf), they must:
- Understand their scheme’s cyber risk.
- Make sure that those handling data or managing technology on their behalf have controls in place to reduce the risk of cyber incidents occurring and their impact.
- Manage cyber incidents that arise.
Regularly reviewing and keeping records of their assessment of cyber risk, controls and response plans, as well as ensuring they have access to cyber risk expertise, are just some of the steps that TPR expects trustees to take.
More widely, trustees need to ensure that the…
