Cyber risk horizon gazing: relevant developments for pension schemes

1 October marks the start of Cybersecurity Awareness Month and the launch of a series of briefings we will be publishing aimed to help trustees and sponsors of pension schemes to understand their legal obligations in this space and strengthen their schemes’ cyber resilience. 

This first instalment considers some recent and upcoming cyber security developments that trustees and administrators will want to monitor closely in the coming months. These developments are: 

1. The Pensions Regulator Market Oversight Report
2. The UK Cyber Growth Action Plan
3. The Cyber Security and Resilience Bill
4. Government intervention for cyber attacks

We take a closer look at each of these developments below. 

1. The Pensions Regulator Market Oversight Report

First in our review is The Pension Regulator’s (TPR) Market Oversight Report (the “Report”) released this September. Following our recent article commenting on TPR’s Annual Report and Accounts, this report confirms that cyber risk is an area of focus for TPR. 

The Report contains a specific section on cyber resilience and highlights that, while pension administrators are becoming more aware of cyber threats, there are still notable gaps in how risks are managed and how suppliers are overseen. Key vulnerabilities identified include phishing attacks, weaknesses in supplier systems and outdated infrastructure.

In its conclusions and next steps, this report states that “Cyber security is being prioritised, but there remain gaps in security certification, supplier checks, and incident planning that need attention. We encourage trustees and administrators to review TPR’s Cyber security guidance and to ensure they have access to appropriate cyber expertise.”

This report also gives some examples of what good practice looks like, which gives pension scheme trustees some useful pointers on what to request (and expect) from their scheme administrators in this area.

2. The UK Cyber Growth Action Plan

September 2025 also saw the introduction of the Government’s UK Cyber Growth Action Plan’s (the “Cyber Action Plan”) final report. Despite an industry-wide focus, it provides valuable strategic direction for pension schemes.

A central theme is the need to stimulate informed demand for cyber resilience. Schemes should ensure they adopt baseline standards such as Cyber Essentials and promote cyber risk reporting. This aligns with the Cyber Action Plan’s call for organisations to treat cyber security not merely as a compliance issue but as an enabler of trust and operational reliability. Stakeholders (including pension schemes) are also encouraged to explore cyber insurance and principles-based assurance to reinforce their risk management.

The Cyber Action Plan also urges greater public engagement and skills development. By fostering a culture that values cyber resilience, schemes can ultimately better protect member data and scheme assets. The emphasis on leadership highlights the importance of engaging with industry experts and government initiatives to stay ahead of emerging threats.

Futureproofing most notably from AI-driven threats is explicitly signposted as a priority within the Cyber Action Plan. 

3. The Cyber Security and Resilience Bill

Announced in the King’s Speech in July 2024, detailed in April 2025 and set to be introduced later this year – the Government’s Cyber Security and Resilience Bill (the “Bill”) is likely to result in significant upcoming changes, including for pension scheme trustees. 

The Bill proposes to bring more entities – notably Managed Service Providers (MSPs) – into the Information Commissioner’s Office (ICO) regulatory remit. MSPs are those external organisations which provide IT services to schemes and require access to its digital infrastructure to deliver ongoing support, monitoring and cyber security. Trustees may expect a rise in administration fees as the Government acknowledges there will be “associated costs” to these security improvements, but considers it necessary to centre MSPs as trusted and reliable cyber security partners. 

Regulators will also be able to designate certain high-impact suppliers as ‘Critical Suppliers’ (DCS) bringing them under similar and strict compliance requirements as ‘operators of essential services’ (OES) and ‘relevant digital service providers’ (RDSP) are under the Network and Information Systems Regulations 2018. In effect, this means that these suppliers must undertake security checks and continuity plans to prevent vulnerabilities in their suppliers from undermining digital service delivery. In due course, trustees should be alert to whether any of their suppliers might be designated and ensure contracts and oversight arrangements are robust enough to meet these new expectations.

Though still in its early stages, the Bill may signals a significant shift in how trustees must approach cyber oversight and supplier accountability. 

4. Government intervention for cyber attacks

The most recent development is the government’s response to the cyber-attack on Jaguar Land Rover (“JLR”), which further emphasises the serious economic impact of such attacks. In an unprecedented move, it has been reported that the government is underwriting a £1.5 billion loan guarantee to JLR to support its supply chain amid ongoing production disruption. 

This is the first instance of financial intervention by the UK government specifically due to a cyber-attack. It will be interesting to see whether and to what extent this may set a precedent for future public-private responses to cyber incidents, especially where they are significantly disruptive to the UK economy. Indeed, there have been calls for the introduction of a cyber reinsurance scheme and potential furlough support for employees impacted by the fallout of cyber-attacks. 

Conclusion

As Cybersecurity Awareness Month begins, trustees are entering a period of continued reform in digital governance and risk management, with the only certainty being change. Regulatory expectations, evolving technologies and a changing legislative landscape mean that the need for proactive cyber resilience has never been greater. 

For more on what your scheme should be doing to manage cyber risk, see our Cyber Security Compliance Trustee Checklist and our dedicated pensions cyber security page.

If you have any queries in relation to cyber security for pension schemes or anything else regarding your scheme, please contact Richard Pettit or Samantha Howell.

This article was written by Rowan Kelleher, India McGirr, Samantha Howell and Richard Pettit.  

“Cyber security is being prioritised, but there remain gaps in security certification, supplier checks, and incident planning that need attention. We encourage trustees and administrators to review TPR’s Cyber security guidance and to ensure they have access to appropriate cyber expertise.”

https://www.thepensionsregulator.gov.uk/en/document-library/research-and-analysis/market-oversight-administrator-relationships#cyber