Pension schemes hold decades of member data and significant assets - which makes them a growing target for cyber criminals.
Sam Howell, Senior Associate at Burges Salmon, specialises in pensions law and cyber resilience. She explains how trustees can respond to rising threats and tighter regulatory expectations.
For scheme governance, the urgent question is what trustees should put in place now before an incident forces reactive decisions.
You can subscribe to our Sense of Identity audio podcast series on your podcasting platform of choice using the links on our Spotify page. You can watch the video on YouTube, or listen on Apple Podcasts.
Created from episode transcript
Pension trustees and administrators are under pressure to protect member data, keep third-party relationships under review, and treat cyber resilience as part of ordinary governance alongside funding, administration, and member communications.
Why Pension Schemes Face Sharper Cyber Pressure
Cybersecurity matters in every sector, but pensions combines large volumes of sensitive personal data with assets that criminals may try to reach through fraud or disruption.
Sam Howell works on cybersecurity for pension schemes at Burges Salmon, alongside the firm's data protection and dispute resolution teams. She advises private and public sector clients through one of the largest pensions practices in the UK.
She points to a sharp rise in reported cybersecurity breaches affecting UK pension schemes over the past 18 months, including a 4,000% increase in reported incidents. That figure comes from her work with schemes and should be treated as interview context until your governance team has verified the underlying source for your own reporting.
The pattern she describes fits a wider shift: criminals are paying more attention to pensions because of the data and money flows the sector controls.
"Cybersecurity is critical across all sectors, but it has become especially urgent in pensions due to the vast amounts of sensitive data and assets managed."
Sam Howell, Senior Associate, Burges Salmon
Schemes that wait for a headline incident before tightening controls often discover gaps in contacts, documentation, and member communication at the worst moment.
How Regulatory Expectations Are Shifting
The Pensions Regulator has updated its approach to cyber risk, moving from guidance that emphasised good practice toward clearer expectations that schemes must act.
TPR's updated guidance, as she describes it, places more weight on mandatory cybersecurity measures than on optional recommendations alone.
She also refers to a new general code that came into force in March 2024, setting out trustee obligations and stressing that schemes should prepare for cyber incidents as a matter of when, not if.
Trustee boards need cyber preparation on the same footing as funding and administration.
That shift changes the conversation in board packs and adviser meetings. Cyber resilience becomes something trustees must be able to describe, document, and improve over time.
Five Steps Trustees Can Start With
Sam Howell sets out five foundational steps that form the backbone of a practical cyber resilience approach for schemes of different sizes.
"Trustees should start with five fundamental steps: establish a cybersecurity policy, create an incident response plan, ensure key contact details are accessible during incidents, document all cybersecurity actions for ongoing assessment, and provide regular cybersecurity training."
Sam Howell, Senior Associate, Burges Salmon
The same priorities can be turned into a short board-level checklist without losing the detail behind each item.
Trustee Cyber Resilience Checklist
Establish a cybersecurity policy the board can stand behind.
Create an incident response plan with named roles and escalation paths.
Keep key contact details accessible during an incident and in day-to-day files.
Document cybersecurity actions so the board can review progress over time.
Provide regular cybersecurity training for trustees and relevant administrators.
These steps are deliberately operational. They give trustees a shared language with administrators, legal advisers, and IT providers when discussing what "good" looks like for their scheme.
Proportionate Resilience for Smaller Schemes
Not every scheme has the budget of a large master trust or corporate pension arrangement. Sam Howell stresses that proportionality still allows meaningful progress.
Smaller schemes can take manageable, cost-effective steps that build significant resilience when they are tailored to the scheme's size, complexity, and outsourcing model.
Need A Safer Way To Send Sensitive Email?
Mailock keeps email familiar while adding protected access, recipient checks, secure replies, message tracking, and sender controls.
At Burges Salmon, the firm has developed a cybersecurity package with templates and training aimed at helping schemes meet minimum expectations and protect members. That kind of packaged support can reduce the blank-page problem for boards that know they need to act but lack in-house specialist resource.
Smaller schemes can show defensible progress against the risks and regulatory direction that apply to them without copying a large-scheme playbook line by line.
Going Beyond the Minimum
Once the basics are in place, Sam Howell recommends deeper activities that strengthen response over time.
These include data and asset mapping, regular review of third-party contracts for cyber provisions, and advanced exercises such as war games to simulate incident response.
Supplier and administrator relationships matter because many schemes depend on external parties for administration, payroll interfaces, and member communications. Contract reviews help trustees understand where responsibilities sit when something goes wrong.
"When trustees need to share sensitive updates with members or advisers, the breach itself is only part of the problem. The next message recipients receive also has to look trustworthy."
Paul Holland, Founder and CEO, Beyond Encryption (Mailock)
Teams handling member or employer communications should also understand how impersonation attacks over email can exploit trust after a period of disruption.
Member Communications After a Cyber Incident
A breach or near-miss often creates immediate pressure to contact members. Sam Howell warns that speed and accuracy both matter.
Trustees need to inform members in a timely way while making sure the information is correct and actionable. Rushed messages that later need correction can damage trust as much as the original incident.
Planning ahead helps. That includes agreeing alternative communication channels before they are needed and testing who can approve member-facing statements during an outage or compromise.
Incident response is a member communication and governance exercise as well as a technical one.
FAQs
Why Is Cybersecurity Particularly Important for Pension Schemes?
Pension schemes hold sensitive member data and manage significant assets. Reported cybersecurity breaches affecting UK pension schemes have risen sharply, which makes cyber resilience a board-level priority.
What Should Trustees Do First to Improve Cyber Resilience?
She recommends starting with a cybersecurity policy, an incident response plan, accessible key contacts, documented actions for board review, and regular training for trustees and relevant administrators.
Can Smaller Pension Schemes Achieve Effective Cybersecurity?
Yes, through proportionate steps. Smaller schemes can take manageable actions tailored to their resources rather than adopting every control used by the largest arrangements.
How Should Trustees Communicate with Members After an Incident?
Communications should be timely, transparent, and accurate. Planning alternative channels in advance helps trustees reach members when usual routes are unavailable or compromised.
Adam Byford
.svg)
Previous post