The Pensions Regulator (TPR) in the UK has streamlined its guidance for pension scheme governance with a new “General Code of Practice,” replacing 10 previous codes with a single set of clear expectations. Effective March 27, 2024, the code comprehensively addresses critical areas, including cybersecurity.

Cybersecurity is a key focus given the recognition that pension schemes are attractive targets for cybercriminals due to their sensitive data and assets. The revamped code introduces mandatory reporting of significant cyber incidents to aid TPR in assessing industry-wide and member-specific risks.

For governing bodies of all occupational, personal, and public service pension schemes, the General Code outlines mandatory cybersecurity expectations:

  • Policies and procedures: Enact measures to guard against cyberattacks, data breaches, and unauthorized access.

  • Regular reviews: Continuously update cybersecurity policies and procedures.

  • Staff awareness: Educate all staff on the risks and mitigation strategies.

  • IT security training: Provide staff with proper training on secure IT system usage.

  • Incident reporting: Establish a procedure for reporting cyberattacks and data breaches.

  • Mitigation strategies: Plan for minimizing the impact of cyberattacks and data breaches.

  • Cyber insurance consideration: Evaluate the need for and benefits of cyber insurance coverage.

The General Code of Practice (2024)
Source: The Pensions Regulator

Additionally, the code specifies essential elements of a robust cyber security policy:

  • Access control: Implement measures to restrict access to IT systems and data based on need-to-know.

  • Password security: Enforce strong password requirements and regular password changes.

  • Data encryption: Secure sensitive data with encryption at rest and in transit.

  • Incident response plan: Define a clear plan for responding to cyberattacks and data breaches.

  • Business continuity plan: Develop a plan to maintain operations in the event of a cyberattack or data breach.