TPR writes letter to schemes following Capita cyber incident

Regulator urges schemes to determine if Capita breach poses risk to scheme data

Jonathan Stapleton
clock • 1 min read
TPR writes letter to schemes following Capita cyber incident

The Pensions Regulator (TPR) has written to a number of defined benefit and defined contribution schemes following a data breach at Capita.

At the end of March, Capita revealed it had experienced a cyber incident, one which had primarily impacted access to internal Microsoft Office 365 applications. At the time it said there was "no evidence of customer, supplier or colleague data having been compromised".

However, in an update on 20 April, the business process services firm said there was "some evidence of limited data exfiltration" among some sections of its server estate which could include customer, supplier or colleague data.

Capita provides pensions administration services for over 450 clients, although it is not yet clear whether scheme data has been impacted by the cyber incident.

In its letter to schemes, the regulator reminded trustees of their duties to members - urging them to "determine whether there was a risk to their scheme's data".

A TPR spokesperson said: "We take IT security and the risk of cyber attacks extremely seriously. That's why we have issued guidance for trustees.

"In light of the cyber incident directed at Capita, we have asked trustees of schemes which employ Capita as their administrator to speak with the company to understand more about the situation and to help determine whether there is a risk to their scheme's data.

"If a trustee establishes that their scheme has suffered a data loss, they have a duty to notify TPR, other authorities and impacted individuals. Our communication requires trustees to read TPR's and the Information Commissioner's Office (ICO) guidance on cyber and IT security and to make sure they are familiar with their responsibilities.

"We are also asking schemes to report to us what steps they have taken to ensure their obligations as data controller have been met."

More on Admin / Technology

Sian Jones: The acquisition of Idiom allows us to broaden our horizons and venture more deeply into the buy-in and buyout market

Heywood Pension Technologies completes acquisition of Idiom

Firm says deal will ‘open doors’ to new markets and opportunities

Jonathan Stapleton
clock 02 October 2023 • 1 min read
XPS data shows reduced scam reports in August, as Broadstone says good admin can help members

Admin key to helping members avoid scams

Broadstone praises TPR’s approach as XPS data shows monthly drop in red flag reports

Jasmine Urquhart
clock 29 September 2023 • 2 min read
Rory Murphy: Keeping member records accurate can improve outcomes for savers

Industry can and should do better on record keeping inaccuracies

Rory Murphy says members end up footing the bill for poor scheme and provider service

Rory Murphy
clock 26 September 2023 • 3 min read