TPR’s new cyber risk guidance a positive starting point, but more needs to be done, says RSM UK

11 December 2023

The Pensions Regulator (TPR) has revised its cyber security guidance for the first time since 2018, to tackle the ongoing threat posed by cyber criminals. TPR’s latest guidance comes following RSM’s call for clearer, practical direction from the regulator in August to help trustees combat pensions scams and protect members’ data and safeguard scheme assets.

TPR’s new guidance on cyber risk helps trustees and scheme managers meet their duties to assess risk, ensure controls are in place across their and their third-parties’ environments, and respond to incidents. TPR is also asking trustees to help combat cyber risk by reporting significant cyber-related incidents.

Commenting on the latest guidance, Stuart Leach, cyber risk partner at RSM UK, said: ‘With the threat of cyber-attacks increasing, TPR’s latest guidance on cyber security is essential, especially as in the year to June 2023, there was a 4,000% increase in pension scheme cybersecurity breaches. It is positive to see that much of RSM’s feedback on the need for clearer and practical measures has been included, with a focus on ensuring cyber security across the sectors third party eco-system and reporting and responding to incidents. This highlights the importance of TPR continuing to collaborate with industry and other relevant bodies, to ensure guidance continues to evolve and the bar for minimum standards is raised on cyber controls and risk management.

‘The guidance also anticipates the long-awaited General Code, which is useful in giving trustees a broad steer on what is expected of them, something which has previously been open to interpretation. Trustees will be able to use the cyber security guidance to be in a more informed position to adopt and comply with the cyber requirements and principles in the General Code’s updates.'

He added: ‘While today’s announcement brings welcome news and is a good starting point for bringing a balance between practical advice against the principles set out in the General Code, there will no doubt be more work for TPR to do to ensure trustees and scheme managers are pointed towards evolving best practice and practical steps. With the backdrop of an ever-changing threat landscape, we look forward to further sharing our views with TPR to support trustees in managing cyber risk.’