Skip to main content

Your browser is out of date, and unable to use many of the features of this website

Please upgrade your browser.

Ignore

This website requires cookies. Your browser currently has cookies disabled.

Cyber incidents reported to TPR from 1 January 2019

FOI reference - FOI-285
Date - 18 July 2024

Request

Please provide the following information from 1st January 2019 to present day broken down by month.

  1. Please confirm the number of cyber incidents reported to TPR in the past 5 years.
  2. For each cyber incident, please confirm: o The total number of members in the affected pension schemes.
    • The total number of pension scheme members impacted by the cyber incident.
    • How many of these incidents arose from (i) an external risk (such as a cyber attack or hack); or (ii) an internal risk (such as a staff error).
    • How many fines, penalty or sanctions were issued in response to the reported cyber incident by TPR.
    • The total value of fines and/or penalties issued.
  3. Please provide copies of all policies governing TPR’s interactions or relationship with the Information Commissioner’s Office (ICO) in respect of cyber incidents.
  4. Please provide a copy of any memorandum of understanding between TPR and the ICO.

Response

Following a search of our records, I have established that we do not hold the information you have requested.

In relation to questions a and b, schemes are under no obligation to report cyber incidents to The Pension Regulator (TPR) as standard. TPRs latest guidance (December 2023) introduces a voluntary ask for the following:

“We are asking schemes, their advisers and providers to report significant cyber incidents to us on a voluntary basis, in an open and co-operative way, as soon as reasonably practicable. You do not need to conduct the full incident investigation before reporting to us.

A significant cyber incident is likely to result in:

  • a significant loss of member data
  • major disruption to member services
  • a negative impact on a number of other pension schemes or pension service providers”

Regarding question c, I would also point you in the direction of the ICO who have stringent requirements for reporting cyber incidents and may hold some information on the data you are seeking.

Finally, question d we do not have memorandum of understanding between TPR and the ICO.