The Pensions Regulator has set out key steps trustees should take during a cyber security incident, in a new intervention report on the data leak at pensions administrator Capita last year.  

Capita administers more than 450 pension schemes with about 4.3m memberships. TPR said there are lessons learned from the breach at the firm, and has set out steps trustees should take in the event of a cyber security incident. 

Notably, it said, there were “several communications challenges” as the company sought to contact scheme trustees and members affected by the cyber security incident.

A cyber incident will involve reviewing vast amounts of structured and unstructured data, a process which is complex and takes time and resources. The regulator expects trustees to take account of this in their plans. 

“Trustees should not underestimate the amount of work involved in this type of exercise and should factor this in as part of effective contingency planning,” the regulator said. “Managing data carefully and minimising the level of unstructured data will help ensure responding to a cyber incident can be undertaken as efficiently as possible.”  

It stressed that trustees should not wait for these investigations to be resolved before contacting members if there is “a reasonable chance their data is at risk”. 

Other delays arose from the fact that Capita was required to hold a copy of a file but was no longer administering the scheme, making it harder to contact trustees. 

“We were able to provide support to Capita in making contact with those schemes. Trustees should be mindful that they may continue to have responsibility for data stored by third parties, even if a third party is no longer actively involved with the scheme,” TPR noted. It said some communication was delayed because trustees had not kept their contact details up to date on its online Exchange system.  

Where Capita was no longer the administrator, it was also necessary to agree roles and responsibilities between Capita, the trustees and the new administrator before member communications could be sent, requiring further time.  

For these communications, TPR and Capita developed template wording. Where schemes chose to develop bespoke communications, this also led to delays in some cases.  

TPR suggested that this is not helpful for members: “Prompt communication should be prioritised so members are informed and can take steps to protect themselves as soon as possible.” 

Decisions over who would communicate, and capacity constraints at Capita, also meant there were some delays, with the regulator urging trustees to consider how they would communicate as promptly as possible with members as part of their contingency planning.  

The regulator does not have control over administrators but can exert indirect influence as it regulates governance by trustees.  

Capita became aware of the breach, which it later found out happened around 22 March 2023, on Friday, 31 March. TPR said it engaged “extensively” with Capita throughout that weekend and in subsequent weeks, as well as with its regulatory partners.   

A forensic investigation found that about 4% of Capita’s server estate was affected and data was accessed from less than 0.1%. The firm expects the incident to cost it between £20m and £25m.