This report outlines how we worked with Capita to assess the risk to pension schemes and their members following a cyber security incident.
It should be helpful to trustees, with some lessons learned, and sets out steps trustees should take in the event of a cyber security incident.
Published: 02 February 2024
Summary
Capita became aware of a cyber security incident on 31 March 2023. As Capita is one of the UK’s largest pension scheme administrators, this cyber security incident represented a potentially significant risk that criminals could:
- gain access to the personal data of a large number of members of the schemes it administers, and
- cause wide disruption to services which could prevent the payment of pensions from affected schemes.
While TPR does not have direct regulatory grip over administrators, we regulate how trustees govern their pension schemes, including their relationships with administrators. In this case, we worked closely with Capita to assess the risk to schemes and their members. As well as focusing on the risk of disruption to pension payments, we wanted to ensure Capita was doing as much as possible to identify the impact of the cyber security incident and to quickly inform trustees of affected schemes and members so that protective measures could be taken.
We quickly contacted the trustees of schemes administered by Capita to highlight the expectations set out in our cyber security guidance, and the steps we expected trustees to take. This included communicating with members and meeting their obligations as data controllers. Our engagement formed part of a multi-pronged approach that enabled us to share our understanding with other regulatory parties, including the Financial Conduct Authority, the Prudential Regulation Authority, the Information Commissioner’s Office (ICO) and the National Cyber Security Centre.
Background
Capita is a leading provider of business process services. It is one of the largest third-party administrators in the UK, as well as being the UK government’s largest IT outsourcing supplier and the UK’s leading customer services provider. It administers over 450 pension schemes with approximately 4.3 million memberships.
On Friday 31 March 2023, Capita became aware of a cyber security incident, which resulted in the exfiltration (meaning where data is accessed and/or copied) of certain data. We engaged extensively with Capita throughout the weekend and were in regular contact with our regulatory partners.
On 3 April 2023, Capita reported that there had been disruption to some services provided to individual clients’ pension schemes, and that immediate steps had been taken to successfully isolate and contain the issue. We continued to engage with Capita to get assurance that pensions would be paid on time and administrative services would be returned to normal as soon as possible.
As Capita continued to investigate the incident, they released a further public update on 20 April 2023, explaining that they were working closely and at speed with specialist advisers and forensic experts to investigate the incident to provide assurance around any potential customer, supplier or colleague data exfiltration.
Their investigations revealed that the incident appeared to have arisen as a result of unauthorised access on or around 22 March 2023, and was interrupted by Capita on 31 March 2023 as soon as they became aware of it. At that time, it was thought that the incident had potentially affected about 4% of Capita’s server estate, which could include customer, supplier or colleague data.
Capita subsequently revised this figure in its update on 10 May 2023, confirming that, based on forensic work carried out in house and by third-party providers, some data was exfiltrated from less than 0.1% of its server estate. Capita noted in its half year results published on 4 August 2023 that it expected to incur exceptional costs of between £20 million and £25 million associated with the cyber security incident, including the complex forensic analysis.
Regulatory action
Our immediate focus was to ensure pensioners and other beneficiaries were able to receive pension payments on time, and Capita confirmed that there was no interruption to the payment of benefits. We then engaged with Capita to ensure that administrative services, which had been disrupted by the incident, were returned to normal.
It was important to understand which files had potentially been exfiltrated and how this translated to the individual schemes that had been affected. At a scheme level, it was then necessary to identify which members had been affected and what specific member data had been exposed. We encouraged Capita to communicate fully and promptly with trustees as they worked out the extent to which individual schemes’ data had been compromised.
After informing each scheme that it had been affected by the cyber security incident, Capita worked with the trustees to provide more detailed information to identify which members and specific data had been affected (eg name, date of birth, address, pension amount, bank account). This was a complex exercise, given the detailed forensic analysis that was necessary to obtain the member-level data for the large number of members and schemes involved. The data matching, de-duplication and validation of the initial results added to the complexity and time required by Capita to obtain a robust and accurate dataset.
We expected Capita to let trustees know whether their scheme had been affected as soon as possible. This would enable trustees time to consider the steps they needed to take, including:
- protecting assets and scheme members
- reviewing their obligations as data controllers, including reporting requirements
- considering when and how they would communicate with members
- engaging advisers as necessary to support trustee decision-making
Providing this information to trustees also enabled the trustees, as data controllers, to:
- report a personal data breach to the ICO if required
- inform affected scheme members of the breach and what actions they could take to protect themselves against fraud
After we were notified about the cyber security incident, we contacted 383 pension schemes that our records indicate were administered by Capita. This was initially part of an email campaign to 324 scheme contacts on 20 April 2023, followed by communications to additional schemes. We asked trustees to let us know what steps they had taken to ensure they were meeting their scheme obligations towards members, as well as their obligations as data controllers.
We sent two further emails to Capita-administered schemes on 3 and 10 May 2023, which reinforced our messaging and pointed to our relevant guidance and expectations.
Through our email campaigns, we raised awareness of our guidance on cyber security principles with scheme trustees. Linked to our guidance, we then published a statement on 12 May 2023. This reminded trustees that they were responsible for members’ data and that if they used Capita’s services, they should keep communicating with Capita as the situation evolved to understand whether their pension scheme’s data could be affected.
Outcome
The cyber security incident highlighted that, while we do not regulate administrators, they are a key service provider to trustees and pension schemes, and we work to influence the best possible outcome with the saver in mind.
Open and transparent information sharing was critical in these circumstances so that we could quickly assess the risk to members’ benefits and how we could best support trustees and schemes. The majority of the schemes responded to our emails promptly. We also spoke directly to the trustees of various schemes, collectively representing a large proportion of members administered by Capita. This helped us better understand their schemes’ specific circumstances, how they had been affected by the cyber security incident, and the mitigating steps trustees were taking to protect members. We also found it helpful to be able to talk through our guidance and expectations with trustees and to understand the communications trustees were planning with their members.
To help individuals monitor their personal information for signs of potential identity theft, Capita gave scheme members free access to a 12-month subscription to Identity Plus, a monitoring service provided by UK credit reference agency Experian.
Conclusion
This incident demonstrated the very real threat that cyber criminals can pose to the industry. In this case, costs to Capita as a result of this cyber security incident are estimated at £25 million, as well as disruption to their operations and potential reputational damage.
From a pension scheme perspective, this incident shows the importance of having preventative measures in place and ensuring that trustees or managers of pension schemes and their providers have robust cyber security and business continuity plans in place.
We expect a scheme’s cyber security and business continuity plan to cover a range of scenarios so that, if an incident occurs, trustees will have rehearsed roles, responsibilities, systems and processes to ensure the safe and swift resumption of operations. This includes understanding third-party suppliers’ incident processes, including how and when trustees would be informed of a cyber incident at the supplier. If trustees outsource administration, they are still responsible for ensuring scheme obligations towards members are met, and as data controllers are still liable for ensuring that data is handled properly. Incident response plans should be regularly tested, for example by running through them step-by-step using a theoretical scenario.
Where there is a risk to the saver, we may get involved to understand the risks and how they are to be mitigated. From our perspective, timely and open communications with those that may have been affected by an incident are crucial so that individuals can be alert to the potential misuse of their data, including any personal data, through scams and fraudulent activity.
Learnings arising from communications challenges
Through our ongoing engagement with Capita, we became aware of several communications challenges as the company sought to contact scheme trustees and members affected by the cyber security incident. We have reflected on these communications challenges and the learnings arising from these for trustees to consider in similar situations.
Complexity, time and resource to identify exfiltrated data and match it to schemes and members
Learning from Capita’s experience, trustees should not underestimate the amount of work involved in this type of exercise and should factor this in as part of effective contingency planning.
The aftermath of a cyber security incident can involve reviewing a vast amount of structured and unstructured data and files, with a material impact on resource requirements to identify what data may have been compromised. Managing data carefully and minimising the level of unstructured data will help ensure responding to a cyber incident can be undertaken as efficiently as possible.
Trustees should not wait for these investigations to be resolved to contact members if there is a reasonable chance their data is at risk.
Communicating with trustees where contact details were not available
Some of the exfiltrated data related to schemes that Capita no longer administered (ex-clients) but for contractual and other reasons, Capita were required to keep a copy of the scheme’s data, including where a scheme may have wound up. We were able to provide support to Capita in making contact with those schemes. Trustees should be mindful that they may continue to have responsibility for data stored by third parties, even if a third party is no longer actively involved with the scheme.
In other circumstances, our ability to reach out to, and support, pension scheme trustees promptly was delayed in some cases by trustees failing to keep their contact information up to date. They should remember that their contact details are registrable information and should be updated through our online Exchange system as soon as possible after any change.
Additional steps and time involved
In respect of the pension schemes of ex-clients, Capita did not currently administer the scheme and it may not have had a current relationship with the scheme’s trustees. This meant additional steps and time were likely to be required to agree roles and responsibilities between Capita, the scheme’s trustees and the scheme’s current administrator before communications could be issued to members. In cases where Capita is no longer the scheme’s administrator, it is likely the scheme’s current administrator and trustees will need to be involved in checking member status, contact details and sending member communications.
Agreeing template wording for member communications
We supported Capita in developing template wording, including appropriate scams warnings, which trustees could use to communicate with their members. Some schemes chose to develop bespoke member communications and, in some cases, this led to delays. In our view, prompt communication should be prioritised so members are informed and can take steps to protect themselves as soon as possible.
Issuing member communications
Some schemes used Capita to issue member communications, and some used third-party providers. Capacity constraints at Capita meant that some prioritisation of member communications was required. However, there were also some delays where member communications were delegated to another third party. Trustees should consider how they would communicate as promptly as possible with members as part of their contingency planning.
Key steps trustees should take in the event of a cyber security incident
- Communicate with the employer, administrator or other service provider to understand how the scheme/members are impacted. As a priority, trustees should understand whether there is likely to be any disruption to payment of benefits, retirement processing and bereavement services.
- Notify TPR as appropriate and the ICO if required if any personal data is involved.
- We are keen to work with the industry to ensure that savers are adequately protected, and share good practice and insight. In December 2023 we updated our cyber guidance and we are asking schemes, their advisers and providers to report significant cyber incidents to us on a voluntary basis, in an open and co-operative way, as soon as reasonably practicable.
- Trustees are also legally required to report breaches of pensions law where these are likely to be of material significance to us. This includes where these arise from a cyber incident, for example if it leaves you unable to process core transactions promptly and accurately, such as benefit payments.
- Reporting to us does not replace trustees existing legal requirements, such as to report a personal data breach to the ICO without undue delay (if it meets the threshold for reporting) and within 72 hours.
- Establish whether key services and interfaces with other parties can be operated safely. Restore key services when it is safe to do so, keeping members and regulators informed on the ability to provide these services.
- Consider whether any immediate actions are required to safeguard members’ benefits. This could include changes to security procedures to combat identify fraud where hackers use personal data to gain access to pension benefits.
- Communicate with members and signpost to appropriate guidance so they can take the necessary actions to protect their personal information.
- Direct members to the National Cyber Security Centre guidance for individuals on data breaches. If a scheme is subject to a significant cyber security incident, the trustees and/or scheme managers should contact the NCSC for support.
- Monitor increased or unusual transfer requests. Members will be concerned about the security of their data, which might lead them to decide to transfer out of the scheme. Members should be provided with all relevant information and notified of any risks to ensure they are well informed before transferring to another scheme.
- Warn members about pension scams. We believe that trustees and administrators are the first line of defence against pension scammers.
Our approach to cyber security
The cyber security incident experienced by Capita and the impact this has had on a significant number of pension schemes underlines the importance of our aim to develop stronger relationships with administrators to better understand the challenges and concerns they face as well as the opportunity to drive up industry standards and improve saver outcomes.
‘Security’ is one of the five strategic priorities identified in our corporate strategy. Our primary goal is to protect money that savers invest in pensions, and this includes how we will work with our partners to protect savers from scammers and to tackle cyber-risks.
Over the last year, as set out in our Corporate Plan, we have trialled and embedded a new Administrator Relationships initiative, engaging directly with a small number of third-party pension administrators. We also engage regularly with all the largest third-party administrators. Through this work we aim to better understand the sector, identify areas where changes will improve saver outcomes, and ultimately raise standards.
Our updated guidance on cyber security principles for pension schemes sets out the steps we expect trustees and scheme managers to take to protect their members and assets against cyber risk. In this guidance we ask schemes, their advisers and providers to report significant cyber security incidents to us on a voluntary basis, in an open and co-operative way, as soon as reasonably practicable.