Cyber Security for UK pension scheme trustees: FAQ Guide 2026

UK pension schemes face increasing cyber security threats including ransomware attacks, supply chain breaches, and data theft. Recent high-profile incidents demonstrate that pension administrators and trustees must prioritise cyber resilience. Hackers target any vulnerable system, making trustee oversight of third-party administrator security critical.

LawDeb Head of Trusteeship Jane Beverley and Head of Defined Contribution (DC) Elizabeth Hartree recently co-hosted a client event with law firm A&O Shearman which focused on cyber and AI in pensions.

During their panel the speakers shared their top tips for trustees managing the risks and opportunities around these. Here we share some of the questions and our experts’ responses.

How should pension scheme trustees respond to a cyber attack?

When trustees suspect a cyber incident, immediate action is essential. Best practice cyber incident response includes:

• Taking all security warnings seriously from the outset
• Maintaining up-to-date and accessible emergency contact lists (home, mobile numbers)
• Establishing dedicated emergency communication channels (WhatsApp groups for urgent issues)
• Documenting the timeline of events immediately
• Maintaining an audit trail of decisions taken during the incident

What are pension scheme trustees' cyber security responsibilities under TPR guidance?

The Pensions Regulator expects trustees to maintain robust cyber security frameworks including:

• Incident response plans tailored to pension scheme operations
• Communications strategies for member notification during breaches
• Regular testing through tabletop exercises (minimum annually)
• Third-party due diligence on administrator cyber controls
• Service Level Agreements (SLAs) with clear security alert response times

TPR guidance emphasises that trustees must have communications plans for generic cyber scenarios and should leverage sponsor company expertise where available.

What should be in a pension scheme cyber incident response plan?

Effective incident response plans prioritise accessibility over length. A concise two-page plan typically works better than lengthy manuals during actual incidents. Essential elements include:

• Key contact information (print copies for offline access)
• Decision-making flowchart showing escalation paths
• Critical function dates and priorities (pensions payroll)
• Third-party contact details (administrators, lawyers, cyber specialists, insurers)
• Member communication templates
• Regulatory reporting obligations and timeframes
• Media handling procedures

What questions should trustees ask administrators about cyber security?

Robust oversight requires trustees to regularly assess:

• Incident history: What breaches or near-misses have occurred?
• Security certifications: Current Cyber Essentials Plus, ISO 27001, or similar
• Penetration testing: Frequency and results of external security assessments
• Supply chain security: How are their contractors and sub-processors vetted?
• Incident response capability: Documented plans and testing evidence
• Insurance coverage: Adequate cyber liability insurance limits
• Data location and encryption: Where data is stored and how it's protected

Practical Action Steps for UK Pension Scheme Trustees

Where can UK pension trustees find additional cyber security guidance?

Key resources include:

• The Pensions Regulator: Cyber security guidance and incident reporting requirements
• Information Commissioner's Office: Data protection and breach notification obligations
• National Cyber Security Centre: Technical guidance and threat intelligence
• Pensions industry bodies: Pensions UK, PMI resources and working groups
• Legal advisors: Specialist pensions and cyber security counsel
• Case studies: Learning from incidents like Capita breach 

________________________________________
This FAQ guide reflects current best practice as of January 2026. Pension trustees should regularly review cyber security and AI governance arrangements as threats and technologies evolve. For scheme-specific advice, consult specialist pensions legal and cyber security advisers.