The ICO’s actionable insights and lessons learnt from cyber attacks – key takeaways for pension schemes
16 Dec 2025
5 min read
/Passle/5d9604688cb6230bac62c2d0/SearchServiceImages/2025-12-16-14-04-59-377-6941670b5657195f5906a593.jpg)
On 14 October 2025, the Information Commissioner’s Office (the ICO) hosted its annual Data Protection Practitioners Conference, with a number of Burges Salmon’s lawyers in attendance.
There was an interesting session delivered on lessons learned from cyber-attacks. The slides from the session are available online here. In this session, the ICO talked about 5 actionable insights coming out of the range of cyber attacks that they have been involved with.
In the table below, we set out the 5 actionable insights and the comments from the ICO on these. We have also added comments on how these apply to pension schemes trustees.
The ICO’s five actionable insights
No. | Action | ICO comments | Our comments for trustees |
|---|---|---|---|
1 | Multi-factor authentication (MFA)
| The ICO slides make the following comments:
| MFA is a security process that requires users to provide two or more forms of verification before gaining access to an account, system or application. MFA is an easy win for all schemes. MFA can help trustees maintain the security of the mass amounts of sensitive personal and financial data they manage in a cheap and easy way. As well as using this for trustee email accounts, schemes can use MFA where scheme administration platforms or trustee portals are accessed remotely as it helps protect against unauthorised access. |
| 2 | Vulnerability scanning
| The ICO slides make the following comments:
| Trustees should ask questions to determine whether their administrators are carrying out vulnerability scanning and penetration testing. While the ICO does not mandate penetration testing be carried out, organisations must identify risks and ensure appropriate technical and organisational measures are in place to mitigate against them. As penetration testing is invasive and costly, schemes will need to consider whether this is proportionate for them to carry out themselves. We would, however, expect scheme administrators to be conducting regular penetration testing given the volume of scheme data that they process. |
| 3 | Patch management
| The ICO slides make the following comments:
| Trustees should ask questions to determine whether their administrators have a clear patching policy and that critical vulnerabilities are addressed promptly. If professional trustees hold large amounts of personal scheme data, it may be prudent to introduce patch management. |
| 4 | Monitoring and alerting
| The ICO slides make the following comments:
| Trustees should liaise with their scheme administrators to ensure they have appropriate monitoring in place and that alerts are reviewed and acted upon promptly. The importance of this takeaway was highlighted during the Capita breach in 2023 as despite a high security alert being raised within 10 minutes of the breach, Capita failed to effectively respond for 58 hours which allowed the attacker to exploit their system. It may be appropriate for professional trustees to establish their own internal monitoring and alerting processes. |
| 5 | Know what you have, know what it holds
| The ICO slides make the following comments:
| As data controllers, trustees should engage in data and asset mapping so that they know what data they are responsible for and where it is. The ICO refers to this as an Information Asset Register. Once a scheme has processes in place to map their data and assets, they can understand their cyber footprint. This means understanding who their suppliers are, who their suppliers’ sub-processors are and what the flow of data and assets actually looks like for their scheme in practice. Once this is understood, trustees can make a risk-based decision regarding the extent to which they would like to review their suppliers (both from a processes and a contractual perspective), which is expected by the Pensions Regulator and the ICO. |
Key takeaways for trustees
The 5 actionable insights from cyber attacks that the ICO has dealt with are an interesting lessons learned piece that trustees should be aware of. From a pensions perspective, the key actions and takeaways are:
Multi-Factor Authentication: Trustees without MFA should implement it as a priority, both for email use and portal use (where relevant).
Data and Asset Mapping: Schemes should have an up to date data and asset map to understand their cyber footprint. Trustees can then make informed, risk-based decisions on the extent to which they would like to review their suppliers (both from a processes and a contractual perspective).
Understanding third party processes: Linked to reviewing their suppliers, trustees should be asking questions of their third party suppliers, including their scheme administrators. Based on the ICO’s actionable insights, some of the questions to ask include:
whether they carry out vulnerability scanning and/or penetration testing and how frequently;
whether they have a clear patching policy and that critical vulnerabilities are addressed promptly; and
whether they have appropriate monitoring in place and that alerts are reviewed and acted upon promptly.
How can we help?
We would be very happy to help pension scheme trustees with the key takeaways set out above and with building their scheme’s cyber security resilience. Details of our experience in advising pension schemes in relation to cyber security can be found on our dedicated webpage.
If you are interested in finding out more, please contact Richard Pettit, Samantha Howell or your usual Burges Salmon contact.
"It is in the character of growth that we should learn from both pleasant and unpleasant experiences"