Cyber risk: an area of focus for TPR following its Annual Report and Accounts

The Pensions Regulator (TPR) has published its Annual Report and Accounts 2024-25, offering a comprehensive overview of its activities and performance over the past year, and the news is widely positive. TPR reports “substantial progress across several fronts”, positive alignment with the government’s growth plans, and on-track progress toward 27 of the 32 key performance indicators (KPIs) TPR is using to measure its own performance. 

Notably, one of the few areas where TPR recognises that it needs to further enhance its processes is cyber security.

The report states regarding the only “KPI target missed by [a] significant degree” (Cyber risks and pensions technology in the pensions sector): “[TPR] are working with experts to understand the risks to savers posed by cyber attacks. This understanding will help frame our role, tolerance, and mitigation of these risks, including how we align with other government bodies and industry partners, and positively impact our performance rating against our KPI.”

This is a reflection of the complexity and rapidly evolving nature of cyber risk in the pensions sector.

There are a number of “marginally missed” KPI targets that touch on cyber resilience and administration. For example, TPR’s work to address market issues of administration (including financial sustainability, risk management, technology, innovation, and cyber resilience) remains in the “discovery phase”, with analysis ongoing and a risk framework yet to be finalised.

TPR is building its understanding of the cyber threat landscape and how best to influence saver risk, both directly and through collaboration with government and industry partners. The message is clear: more focus on cyber risk is coming and TPR is actively engaged in developing its approach.

TPR highlights its ongoing efforts to improve its own cyber capabilities, including a cyber IT health check (which found no ‘critical’ findings but did identify four ‘high’ findings), the recruitment of “stronger” expert cyber team, and improved governance structures. The report also references delays in deploying certain systems, such as disaster recovery capabilities, but notes that these are now progressing. 

On the risk of savers suffering financial losses or disruption due to cyber attacks in the sector, TPR writes: “The prevailing heightened cyber risk environment means this risk remains outside appetite.”

The way in which TPR addresses these challenges in the coming years and what impact this will have on both the wider pensions industry and individual schemes will be important. TPR’s transparency about its own cyber maturity is a useful signal to the sector: this is a complex, ongoing journey, and schemes should expect further regulatory developments.

The Broader Context: Ransomware and Reporting

The timing of TPR’s cyber focus is particularly relevant given wider government moves to address ransomware risk. As discussed in our colleague Amanda Leiu’s article, there is a growing movement to ban public sector bodies from paying ransomware demands, alongside increased encouragement to report cyber incidents. While there is already encouragement to voluntarily report incidents (including to TPR for the pensions industry), the landscape may be shifting towards more formal requirements. 

If government policy moves towards mandatory reporting of cyber incidents — or even near-misses — it is likely that TPR will play a key role in shaping and enforcing these requirements for pension schemes. The report’s emphasis on collaboration with government and industry partners suggests that TPR is already engaged in these discussions.

What Should Schemes Be Doing Now?

While TPR’s report makes clear that more regulatory work is on the horizon, there is already much that schemes can and should be doing to improve their cyber resilience. TPR’s updated cyber guidance remains relevant, and TPR’s own experience underscores the importance of regular health checks, robust governance, and ongoing training. 

For more on what your scheme should be doing to manage cyber risk, see our Cyber Security Compliance Trustee Checklist and our dedicated pensions cyber security page.

The key message for trustees and sponsors is that cyber risk is not going away. TPR’s openness about its own challenges should be seen as an invitation for the industry to engage proactively, rather than waiting for further regulatory intervention. 

If you have any queries in relation to cyber security for pension schemes or anything else regarding your scheme, please contact Richard Pettit or Samantha Howell.

This article was written by Ben Jonsmyth, Samantha Howell and Richard Pettit. 

“[TPR] are working with experts to understand the risks to savers posed by cyber attacks. This understanding will help frame our role, tolerance, and mitigation of these risks, including how we align with other government bodies and industry partners, and positively impact our performance rating against our KPI.”

https://www.thepensionsregulator.gov.uk/en/document-library/corporate-information/annual-reports