9 February 2024
The Pensions Regulator (TPR) has issued a Regulatory Intervention Report explaining how it worked with Capita following the significant data breach that took place in March 2023. Here are five things we can learn from the Report...
This is one area where TPR works with other regulators. This is not new – TPR has worked jointly with the FCA in the past for example, but in this case TPR engaged and shared information with the FCA, PRA and Information Commissioner (ICO), each of whom will have had an interest in the Capita breach. This makes sense; members of affected pension schemes will have been subject to the same risks, regardless of who regulates their scheme, and the ICO will always be interested in a breach of this scale (and may investigate behind the scenes, including for some time after the breach has effectively been resolved).
TPR recognises the logistical challenges that are posed by a breach, particularly as a large administrator such as Capita will have to undertake significant work to establish exactly what data and which of its clients (and their underlying members) are affected. However, it is trustees who are responsible for running their scheme, and it is trustees who are the data controller for the purposes of GDPR. It is therefore ultimately the trustee's job to take whatever steps are needed to ensure the scheme can meet its obligations and to minimise harm to members, for example by communicating with them in a timely manner.
Preparation is key, and the Report is very clear that trustees should have a cyber security and business continuity plan so that if an incident occurs "trustees will have rehearsed roles, responsibilities, systems and processes". TPR's General Code says trustees should have a cyber incident response plan, but we'd suggest that where proportionate trustees should also test their plan (for example by running a cyber "war game" session).
Trustees affected by a breach shouldn't wait to hear from TPR. In fact, TPR is asking that trustees report to them on significant cyber incidents "on a voluntary basis", noting that there may be circumstances in which a report is required such as where a scheme is unable to process core transactions and so there is a breach of law which is likely to be of material significance to TPR. Following the Capita breach, TPR contacted 383 pension schemes which they understood (from records) to be administered by Capita. However, the report also notes that TPR's ability to support trustees was delayed because TPR itself did not hold up to date contact information for the scheme.
Trustees can take steps to protect their members following a breach. This is the case even if they use a third-party administrator. In addition to writing to members to notify them of the issue and related risk, trustees can:
Our pensions team has extensive experience on advising trustees on all areas of law affecting pension schemes, including data protection and getting ready for the General Code. If you would like further information on how we could help your scheme, please contact us.