Bulletins | July 28, 2023

Not if, but when: Data breach readiness for trustees

In May 2023, pension schemes were informed of a cyber security incident which affected thousands of pension scheme members. This incident illustrates that cyber risk is not theoretical and in the near future, it will likely increase due to the ongoing digitalisation in the pensions sector accelerated by the roll out of the Pensions Dashboard on the horizon.

No sector is immune from cyber incidents and data controllers need to be prepared for “when” rather than “if” one might happen. Trustees must, with the help of their advisers, deal with a real-world personal data breach and act quickly to report it to the Information Commissioner’s Office (ICO).

The ICO notification is not required if the risk is low; for example, if there is certainty that no personal data was exfiltrated or the affected data was encrypted and inaccessible to the attacker. However, juggling the regulatory messaging from The Pensions Regulator and the Financial Conduct Authority can be a real challenge for trustees who try to balance their duties to members with regulatory pressure.

Beth Brown of Arc Pensions Law LLP and Wedlake Bell Partner Alex Dittel recently discussed how pension scheme trustees can comply with data protection and address cyber risk.

Our webinar took place on Monday 24 July and to to view it please see here.