In this article we provide an overview of some of the most significant data and cyber security issues for pension scheme trustees, details on the latest legislation in these areas, and essential information that trustees need to know to manage these risks as they continue to evolve.

1. Cyber and General Data Protection Regulation (GDPR) risk management

Most trustees will already be well advanced with their projects to comply with the Pensions Regulator's General Code of Practice (General Code). Whilst deadlines for Own Risk Assessments (ORAs) vary from scheme to scheme, most will be due over the next 12 months.

Complying with the General Code's cyber module involves reviews of cyber risk, controls and incident response plans (IRPs) and our recommended approach is for trustees to carry out frequent reviews in this area due to the constant mutation of cyber threats. Cyber risk monitoring and response planning is a practical issue rather than a compliance exercise and should form an essential part of the risk management of the scheme.

Likewise, data protection requires ongoing compliance and active governance, so periodic reviews of documentation, audits and checks on processors are required.

We support trustees of pension schemes of all sizes with taking a proportionate and risk-based approach to General Code compliance, meeting legal requirements for cyber security (see 5 below) and helping review supply chains and their security.

We also develop, regularly review and stress-test IRPs, to help trustees prepare for and respond to a cyber incident.

Find out more information about what we offer.

2. Dashboards

For many schemes 2025 will be the year where dashboards finally begin to take shape, with connection deadlines looming already for some larger schemes. For many, this will be a large outsourcing task, with third party administrators appointing intermediary service providers to connect to the dashboard network.

There are several key areas of risk for trustees to manage, including amending administrators' contracts and carrying out Data Protection Impact Assessments (DPIAs). Most schemes will not carry out DPIAs regularly, but they are an essential part of preparation for dashboards to ensure that the criteria being used to match records of members in the scheme do not give rise to any privacy risks.

3. Use of AI by threat actors and suppliers

It is important for trustees to keep up to date with how AI is being used in the Pensions industry. This will have an impact on member experience, and trustees must comply with existing data requirements such as GDPR, as well as assessing the potential threat to existing cyber security measures.

AI could enable cyber criminals to operate more sophisticated pension scams or to target member data. For example, generative AI can be used for sophisticated phishing attacks whereby fraudsters fake a pensioner's identity to access their benefits. Trustees and members need to be aware of the increased sophistication of these attacks in circumstances where it will become more difficult to identify illegitimate communications targeting scheme assets, members' pots or data.

In addition, suppliers (including administrators and custodians) are likely to increasingly rely on AI tools. It is important that Trustees know: (i) use cases for AI in delivery of services; (ii) how the AI models have been trained and whether there is any risk of, for example, bias in outputs; (iii) whether and how the work product produced by AI models is reviewed by a human to ensure sufficient quality.

4. New data law

The Data (Use and Access) Bill (DUA) is likely to become law in 2025 and will make a range of changes to both the UK GDPR and Data Protection Act 2018. The DUA aims to improve the management and accessibility of data across various sectors and boost the economy with the ability to create more 'smart data' schemes (enabling customers to authorise organisations to make their data available to authorised third parties, like for open banking).

Not all amendments introduced by the DUA will impact the pensions sector, but two that may (albeit in the longer term) are the introduction of: (i) digital identity verification schemes to help trustees establish identity of individuals claiming benefits; and (ii) a smart data scheme related to pension benefits (although the Pensions Dashboard already goes some way to both of these issues ahead of the DUA being finalised). The DUA will require an assessment of accountability documents, processes and privacy frameworks to ensure compliance.

5. New cyber law

We expect the Cyber Security and Resilience Bill (CSRB) to become law in 2025. This will be the UK's equivalent to the EU's Network and Information Security Directive 2 (NIS 2), updating current regulations. Its aim is to improve cyber defences of UK critical infrastructure and services. We expect to see increased mandatory incident reporting and costs recovery mechanisms where there has been a cyber incident.

This only serves to reinforce the imperative for pension schemes (and administrators) to get their incident response planning in shape, tested and scheduled for regular audit, and to organise regular training on the importance of cyber hygiene.

To learn more about the key areas our data and cyber teams can provide support, be sure to download our Data Protection and Cyber Security for Trustees - What do we offer?

For more information on the issues discussed in this article, please contact Ben Goldby, Jocelyn Paulley or Amber Strickland.

To stay up to date on the latest developments, trustees can sign up to our newsletter for regular updates.