On December 11, 2023, the Regulator updated its guidance on Cyber security principles for pension schemes, which was first published in April 2018.
The revised guidance sets out practical steps schemes can take to meet the Regulator's expectations on cyber security. These expectations are included in the Regulator's draft General Code of Practice which is not yet in force. They include:
- Actively considering cyber security when making third-party selections such as administrators.
- Key controls in terms of staff training and data security.
- Principal considerations in incident response plans, including those of third parties.
The revised guidance includes a new section asking schemes, advisers and providers to report "significant" cyber incidents to the Regulator on a voluntary basis. Significant incidents are those likely to result in a significant loss of member data, major disruption to member services, or a negative impact on other pension schemes or service providers. Such incidents should be reported as soon as reasonably practicable: schemes do not need to conduct a full incident investigation before reporting.
The Regulator emphasises that this reporting requirement does not replace existing legal requirements to report cyber incidents to the Information Commissioner's Office, or to report breaches of pensions law likely to be of material significance to the Regulator under section 70 of the Pensions Act 2004. In certain circumstances, schemes may also be required to report significant cyber incidents to the National Cyber Security Centre.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
