TPR writes letter to schemes following Capita cyber incident

Regulator urges schemes to determine if Capita breach poses risk to scheme data

Jonathan Stapleton
clock • 1 min read
TPR writes letter to schemes following Capita cyber incident

The Pensions Regulator (TPR) has written to a number of defined benefit and defined contribution schemes following a data breach at Capita.

At the end of March, Capita revealed it had experienced a cyber incident, one which had primarily impacted access to internal Microsoft Office 365 applications. At the time it said there was "no evidence of customer, supplier or colleague data having been compromised".

However, in an update on 20 April, the business process services firm said there was "some evidence of limited data exfiltration" among some sections of its server estate which could include customer, supplier or colleague data.

Capita provides pensions administration services for over 450 clients, although it is not yet clear whether scheme data has been impacted by the cyber incident.

In its letter to schemes, the regulator reminded trustees of their duties to members - urging them to "determine whether there was a risk to their scheme's data".

A TPR spokesperson said: "We take IT security and the risk of cyber attacks extremely seriously. That's why we have issued guidance for trustees.

"In light of the cyber incident directed at Capita, we have asked trustees of schemes which employ Capita as their administrator to speak with the company to understand more about the situation and to help determine whether there is a risk to their scheme's data.

"If a trustee establishes that their scheme has suffered a data loss, they have a duty to notify TPR, other authorities and impacted individuals. Our communication requires trustees to read TPR's and the Information Commissioner's Office (ICO) guidance on cyber and IT security and to make sure they are familiar with their responsibilities.

"We are also asking schemes to report to us what steps they have taken to ensure their obligations as data controller have been met."

More on Admin / Technology

IGG launches data analysis platform

IGG launches data analysis platform

IGGiQ will provide schemes with funding data and ESG risk analysis

Jasmine Urquhart
clock 11 June 2024 • 2 min read
Enplan adds Nottingham Building Society to DB consolidation platform

Enplan adds Nottingham Building Society to DB consolidation platform

DB consolidation platform owned by Isio and Gateley adds fifth building society

Jasmine Urquhart
clock 10 June 2024 • 2 min read
Why we need to build a National Pension Grid

Why we need to build a National Pension Grid

Martin Freeman says whichever approach to small pots is chosen, the technology is the same

Martin Freeman
clock 31 May 2024 • 5 min read
Trustpilot