5 steps to improving your pension scheme’s cyber security

Why cyber security remains a growing concern for pension schemes   

The disruption to businesses and consumers from recent cyber-attacks such as those affecting Jaguar Land Rover, M&S and the Co-op highlight the increasing sophistication and frequency of these attacks. We were not surprised that trustees continued to rank cyber security and AI as the systemic risk that worried them most in our DB pensions priorities 2025 survey. We have increasingly seen a shift in trustees’ mindsets to “when”, rather than “if” so it’s pleasing to see that respondents to our survey also felt more prepared to address cyber risk in 2025 when compared to the previous year.  

The importance of cyber security, particularly for administrators, was identified as a key area of focus in The Pensions Regulator’s latest market oversight report. The Regulator observed that whilst awareness is increasing, there remains more to be done by administrators and trustees to better protect savers. It also highlighted the importance of considering broader operational risks which might interrupt key scheme functions which is a view we strongly support. 

Of course, it’s impossible to plan for every eventuality but in this blog, we focus on the cyber risks facing pension schemes and outline 5 steps trustees can take to improve their scheme’s cyber security. Whilst cyber security is the focus, many of the learnings from past cyber-attacks can be applied to increase preparedness for any unexpected event, no matter what the cause.  

Cyber security considerations for pension scheme trustees 

Most pension schemes rely on specialist third-party providers, but this doesn’t mean that trustees can outsource their obligations; not least because they are the data controller for the processing activities outsourced to others and have ultimate responsibility for the safety of their scheme’s assets. When a cyber-attack occurs, it will be the trustees’ responsibility to manage the response. This could include notifying regulatory bodies, working closely with an affected third party, liaising with the sponsor and, if member data is lost, informing members.   

It's important to recognise that the pensions industry is heavily concentrated in a number of very large providers. Did you know, for example, that more than 15 million pensions are paid by just four firms? Or that more than £900 billion in assets under management are governed by four professional trustee firms?  

There have been a number of high-profile cyber-attacks in recent years. In our experience trustees who have practised their incident response and planned for the unexpected are able to respond more quickly. Going back to the concentration of schemes with several very large providers, those schemes that are more prepared with established communication and escalation routes will be able to seek updates and information more quickly than those that need to establish these links in a crisis. 

Why are pension schemes an attractive target for cyber criminals?  

Pension schemes contain two valuable assets that are attractive to cyber criminals: financial assets and personal information.  

Where schemes are reliant on third parties to operate, their cyber footprint, i.e. where their data and assets are held and/or processed, can be unclear or potentially out of date. Most commonly this is due to a change of provider but there are other scheme events that should prompt a revisit, such as mergers, bulk transfers or insurance transactions. Most third parties use sub processors which further increases the number of possible access points for cyber criminals and the complexity of assessing your cyber footprint.  

Cyber criminals are aware that sponsors will be concerned not just by the loss of data or assets, but potentially the wider impact on their reputation of any negative publicity. There could also be an ideological reason for a cyber-attack. After all, it’s likely that it’s the sponsor’s name that ends up in the news following a pension scheme cyber-attack.   

What are the risks that can materialise if a cyber-attack takes place?  

Risks can be categorised into three broad categories:  

Financial 

In addition to physical loss of assets or data, there are potentially also costs associated with  

• Fines, which could be significant 
• Incident response, including any advisory fees and 
• Restoring service delivery, particularly if your administrator were to be affected.  

Operational  

As trustees, your valuable time should be focused on strategic matters. But if an incident were to occur and roles and responsibilities are not clear, incident response could take up valuable trustee time. It can have a knock-on impact on the running of your pension scheme, such as paying pensions or time-critical projects, such as an insurance transaction. Are you prepared to manage multiple crises? 

Reputational  

A cyber-attack could have a reputational impact on not just the scheme but also the sponsor. If it later turns out that your members’ data has been lost, we have seen there is risk of further reputational impact from member complaints, including the potential for class actions in some circumstances and negative press relating to the perception of how the incident was handled.   

How can trustees improve their pension scheme’s cyber resilience?  

Adopting a “when” rather than “if” mentality means considering not just how to prevent cyber-attacks from occurring, but also how to respond and recover should they occur (i.e. becoming more resilient). A helpful starting point is The Pensions Regulator’s cyber security principles for pension schemes. In its guidance, the Regulator is clear that as trustees you are not expected to be cyber experts, however you should consider your scheme’s cyber risk and assess whether adequate controls are in place. But why just focus on cyber resilience? What other operational risks worry you most? What other steps can you take to improve the resilience of your scheme’s key functions, such as the payment of pensions? 

There are five steps trustees can take to improve their scheme’s cyber resilience.  

1. Introductory training 

Trustees should explore their obligations, the Pension Regulator’s expectations and consider what worries them most about cyber risk. There isn’t a one size fits all approach to mitigating cyber risks and the increasing use of AI means that threats continue to evolve.  

2. Assess and understand the risks for your scheme  

Specifically, trustees should assess and understand their scheme’s cyber footprint. When we consider a scheme’s footprint, we look at both where personal data is held, how it flows between advisers and also where assets are held and how investment instructions are authorised and validated. This will evolve as advisers, providers or scheme circumstances change (e.g. a move to insurance or a master trust). In addition to sub processors, consider whether any legacy providers retain your scheme’s data. 

3. Ensure controls are in place  

Once your scheme’s cyber footprint has been assessed and understood, trustees should ensure that sufficient controls are in place. Since most scheme’s operations are outsourced (and likely sub-outsourced), trustees should seek assurances that providers and advisers have appropriate cyber controls in place. Like the cyber footprint, this should be revisited when new advisers or providers are appointed, including for example an insurer.  

Alongside this, we also suggest consideration of insurances and contractual provisions which could help mitigate the potential financial impact should an incident occur.  

Consider the Trustee Board’s information and cyber security practices of the Board and the controls in place to secure the data and investment instructions they receive and share.  

4. Responding to incidents  

In recent years, it’s become clear that trustees should be prepared to respond to unexpected events. We have seen many in recent years, from the financial crisis that followed the 2020 coronavirus pandemic, to the LDI crisis of 2022 and more recently the impact of geopolitical instability on scheme operations and investments. 

Whilst you cannot prepare for every possibility, you can practise your crisis management response and test your business continuity plans. We find scenario-planning workshops are an extremely effective and engaging way of testing incident response. You can read more about a recent example in this case study. 

5. Review and repeat!  

Cyber resilience isn’t a one-off exercise. To be effective, controls and response plans should be embedded in your scheme’s wider risk management frameworks, its Effective System of Governance and regularly reviewed, especially when scheme circumstances change significantly. We expect that cyber risk for pension schemes will only continue to evolve and for this reason it should remain a key area of focus for trustees and sponsors alike.  

If you would like to know more about how LCP can help your scheme become more resilient to unexpected events, please get in touch with your regular LCP contact or contact Peter Shaw.  

You can also read more about why we believe there needs to be a shift in mindset for pension scheme trustees in our blog: Thinking “when” rather than “if” about cyber risk.