On December 11, 2023, the Regulator updated its guidance on Cyber security principles for pension schemes, which was first published in April 2018. 

The revised guidance sets out practical steps schemes can take to meet the Regulator's expectations on cyber security. These expectations are included in the Regulator's draft General Code of Practice which is not yet in force. They include:

  • Actively considering cyber security when making third-party selections such as administrators.
  • Key controls in terms of staff training and data security.
  • Principal considerations in incident response plans, including those of third parties.

The revised guidance includes a new section asking schemes, advisers and providers to report "significant" cyber incidents to the Regulator on a voluntary basis. Significant incidents are those likely to result in a significant loss of member data, major disruption to member services, or a negative impact on other pension schemes or service providers. Such incidents should be reported as soon as reasonably practicable: schemes do not need to conduct a full incident investigation before reporting.   

The Regulator emphasises that this reporting requirement does not replace existing legal requirements to report cyber incidents to the Information Commissioner's Office, or to report breaches of pensions law likely to be of material significance to the Regulator under section 70 of the Pensions Act 2004. In certain circumstances, schemes may also be required to report significant cyber incidents to the National Cyber Security Centre.



Contacts

Lesley Browning
Lesley Browning
Partner
Email
lesley.browning@nortonrosefulbright.com
T: +44 20 7444 2448 / +44 77 1030 3311
Shane O'Reilly
Shane O'Reilly
Partner
Email
shane.o'reilly@nortonrosefulbright.com
T: +44 (20) 74443895

Industry:

Practice area:

Recent publications

digital face

Publication

Prepare for change: How businesses can thrive under the EU AI Act

On February 2, 2024, the Belgian Presidency of the Council of the European Union confirmed that the Committee of Permanent Representatives had signed the Artificial Intelligence (AI) Regulation, referred to as the AI Act. Approval by the EU Parliament followed on 13 March 2024, and the AI Act is likely to appear in the EU’s Official Journal around May 2024. The AI Act aims to establish a stringent legal framework governing the development, marketing, and utilisation of artificial intelligence within the region, thereby marking a significant advancement in the regulation of this burgeoning domain.

Global | July 17, 2024

Artificial intelligence (AI)

Publication

Private Credit: Public Challenges

The private credit market and direct lending have grown and diversified immensely in the past decade, offering alternative sources and terms of debt compared to those historically provided by the syndicated leveraged loan and public issuance markets. Consequently, they are fast becoming pivotal components in the capital ecosystem, so much so that the Bank of England consider that the private credit market is currently responsible for approximately $1.8 trillion of debt issuance, which is four times its size in 2015. This growth has been particularly pronounced in Europe and the US but there has also been significant activity in Asia.

Global | July 11, 2024

Banking and finance

Publication

Artificial intelligence and liability: key takeaways from recent EU legislative initiatives

The EU’s Artificial Intelligence Regulation, commonly referred to as the AI Act, is expected to come into force during the summer of 2024 (the AI Act). The AI Act will be the first comprehensive legal framework for the use and development of artificial intelligence (AI), and is intended to ensure that AI systems developed and used in the EU are safe, transparent, traceable, non-discriminatory and environmentally friendly.

Global | July 10, 2024

Technology
Site search

Subscribe and stay up to date with the latest legal news, information and events . . .

Register now