Regulator publishes report of Capita cyber incident

On February 2, 2024, the Regulator published  a report outlining its work with Capita to assess the risk to pension schemes and their members following a cyber security incident which came to light on March 31, 2023.

As well as describing the background to the unauthorised accessing of data held by Capita in relation to various schemes, the report sets out the key steps which the Regulator suggests trustees should take in the event of a cyber incident:

• Communicate with the employer, administrator or other service provider to understand how the scheme and members are impacted.
• Notify the Regulator as appropriate, and the Information Commissioner’s Office if any personal data is involved.
• Establish whether key services and interfaces with other parties can be operated safely.
• Consider whether any immediate actions are required to safeguard members’ benefits.
• Alert members and direct them to appropriate guidance so they can take the necessary action to protect their personal information.
• Direct members to the National Cyber Security Centre guidance for individuals.
• Monitor increased or unusual transfer requests.
• Repeat warnings to members about pension scams.

Although not an “intervention report” from the Regulator, the paper is a useful summary of trustees’ obligations as data controllers.