Pensions Pod: Cyber and AI Bytes -Understanding the cyber risks of Pensions Dashboards

Andy Prater. Director, Burges Salmon (00:41)

Thanks Sam, I’m very happy to be here today. This is a great opportunity to flag some of the cyber risks associated with Dashboards Programme and to consider what can be done to mitigate them.

Samantha Howell (00:51)

Great, so to kick off this episode, could you remind our listeners what the Pensions Dashboard Programme is?

Andy Prater (00:57)

Yes, the Pensions Dashboards programme is part of the Money and Pensions Service. The initiative aims to provide people with access to information about their UK pensions which are not yet in payment, all in one place, for free, online, via a dashboard. The intention behind the programme is to increase awareness and understanding which will hopefully support people with better planning for retirement. Dashboards will also reunite savers with lost or forgotten pensions.

The Department for Work and Pensions has set out a stage timetable for schemes to connect to the Pensions Dashboard ecosystem All schemes in scope must be connected by 31st October 2026 at the latest. As you can imagine, are lots of things for schemes to be doing in preparation for their specific connection deadlines.

Samantha Howell (01:41)

Yes, of course, and that’s coming quite soon now, we’re in 2026. Could you briefly summarise how it works in practice from a user perspective?

Andy Prater (01:51)

Yes, in practice users will submit requests to find their pension’s information. So users will first be required to prove their identity using the gov.uk1 login service. The pension finder service, which is part of the dashboard central digital architecture, then sends user requests to all connected providers and schemes. Providers and schemes match dashboard users to their pensions using find data.

Once a user has been matched, the provider or scheme will then return relevant information to display on the dashboard as view data.

Samantha Howell (02:25)

Thanks for that. There’s lots that trustees will either already have done or will need to do soon then to make sure their scheme’s connected to the dashboard in time. I understand you’ve been working on a tool to help trustees understand what steps need to be taken.

Andy Prater (02:38)

Yes, we’ve produced a pensions dashboards tool launched in January 2026 which is designed to help trustees understand the legal aspects of pensions dashboards, how dashboards will function and the duties and obligations that will apply. Listeners can request access via Burges Salmon’s website or by contacting me or their usual Burges Salmon contacts.

Samantha Howell (02:59)

That sounds like it should be really useful tool. We’re not going to delve into all of the actions needed to connect to the Pensions Dashboard in this episode today. Instead, we’re just going to focus on dashboards from a cyber risk perspective. So we’ll consider some of the data protection and cybersecurity risks that this advancement brings and the steps that could be taken to minimize these risks. So should we start by talking about the biggest cyber or data protection threats from a dashboard’s perspective? Please, can you outline those?

Andy Prater (03:28)

Yes, of course. So the introduction of pensions dashboards represents a significant step forward in the digitalisation of pension scheme data. Three cyber or data protection threats associated with dashboards are: the transfer of data and making sure appropriate controls are in place, the potential for dashboard scams and the risks of relevant providers being subject to a cyber incident.

Samantha Howell (03:51)

Thanks for that concise summary, that’s really helpful. I completely agree with all of those and let’s look at those risks in turn, starting with the transfer of data.

Andy Prater (04:01)

Yes, so schemes will need to have systems and processes in place to ensure that any data transferred to meet the dashboard’s requirements is done in a secure and compliant way. Schemes may meet their obligations through existing administration providers or by using an Integrated Service Provider, also known as an ISP.

Samantha Howell (04:20)

Yes, that’s very true. If a scheme is using their existing administrator to connect to the dashboards, then there potentially won’t be the same transfer of data, but there will be new processing activity for a different purpose. If a scheme is using an ISP as a new third party supplier, or if an existing administrator is using an ISP as a sub-processor, which a number of the administrators are doing, then there will be a significant transfer of data. And trustees should be aware of that and the contract in place with the administrator should be updated and/or a contract put in place with the ISP.

Andy Prater (04:53)

Yes, that’s an important point as trustees are the data controllers of scheme data and are therefore responsible for the security of member data. So it’s important to understand what their processes and sub-processes, i.e. administrators and/or ISPs, are doing with that data.

Samantha Howell (05:09)

Yeah, absolutely. Trustees shouldn’t forget that as data controllers they retain responsibility. So the risk of how data is used sits with the trustees, even if they’re not using the data themselves on a day-to-day basis.

Andy Prater (05:21)

Yes, any transfer to an ISP should be considered carefully as this would be a significant new data processor arrangement. So trustees should be asking robust questions about the ISP’s internal controls in relation to data transfer and cyber risk and for clarity on data protection and cybersecurity provisions in their contract with the ISP before any data is transferred.

Samantha Howell (05:42)

Yeah, the second risk then that you mentioned was the potential for dashboard scams.

Andy Prater (05:48)

Yes, I think the trustees should make an effort to inform and educate members as to the potential for scams as the move to being able to view data through the Pensions Dashboard ecosystem could present a fresh opportunity for scammers to try to target pension scheme members. Pension schemes and their members have always been vulnerable to scammers because of the significant volumes of data and assets that they have. And whilst the technology is ‘find and view’ only at this stage, so no ability to make transfers through the dashboard, for example.

The fact that of there being this new environment and ability to view pension’s data could nevertheless lead to increased potential for scams.

Samantha Howell (06:27)

Yeah and I think that’s a point that can easily be overlooked.

Andy Prater (06:31)

I agree and whilst we don’t know what scams might look like, it’s relatively inexpensive and easy for trustees to send communications to remind members about the risk of scams. So this information could be included as part of the routine communication or indeed a specific dashboard’s communication in the run up to the ecosystem going live. So I think it’s a risk that prudent trustees should be taking efforts to mitigate against.

Samantha Howell (06:57)

Yeah, absolutely. The final risk you mentioned was the potential for a dashboard cyber incident, which if it happened could be significant given the amount of data involved.

Andy Prater (07:07)

Yes, it’s important to stress that the pensions finder service is not a database. It doesn’t hold any personal or pensions data. Rather, it acts like a switchboard, sending members’ requests to all connected providers and schemes, which then return a unique identifier to the Dashboard for each matching pension. Once the pension’s information is requested, the schemes and providers send this directly to the Dashboard, where only the requesting member can access it.

There’s therefore no centralised data target for hackers to look at. The data resides where it does currently and is temporarily displayed but not stored on the dashboard. And to keep Pensions Dashboard’s data safe, the governance register will ensure that the Pensions Dashboard’s ecosystem meets the required security and performance standards.

Trustees should of course they be mindful that administrators and ISPs could be targets for cyber incidents and if the dashboard ecosystem becomes more sophisticated in the future, the risk of a cyber incident may well increase.

Samantha Howell (08:11)

Yeah, and in practice if a cyber incident did occur then schemes would need to look at their contracts to determine who would bear the costs of that incident. In reality many contracts are currently silent on this and administrators and ISPs are likely to seek to limit their liability for a cyber incident. So trustees should be considering the relevant contractual provisions in this area to understand who would meet the costs of an incident and to consider ways to mitigate any costs which might be introducing contractual causes around that or taking out cyber insurance.

Andy Prater (08:42)

Yes, on the topic of mitigation, understanding the contractual position on dashboard compliance and updating provider contracts as required is an important step. Two other aspects we recommend that schemes prioritise are putting a Data Protection Impact Assessment in place and updating their privacy notices.

Samantha Howell (09:00)

Thanks Andy. Can you tell the listeners more about what a Data Protection Impact Assessment is?

Andy Prater (09:05)

Yes, a Data Protection Impact Assessment or DPIA for short is a risk assessment process that helps organisations identify and minimize any data and privacy risks where personal data is being processed. DPIAs are required under the UK general data protection regulation for certain types of processing, including for example, where new technologies are being used and the processing is likely to result in a high risk to people.

Samantha Howell (09:32)

And what are the views of the ICO, the Pensions Regulator and the Pensions Dashboard Programme in relation to DPIAs?

Andy Prater (09:39)

As far as I’m aware, the ICO hasn’t set out a position on trustees duties in respect of pension dashboard obligations. The Pensions Regulators initial guidance stated that matching, combining or comparing data from multiple sources requires a DPIA under the UK GDPR, so trustees may need to produce one or may need to update one they already have. The Pensions Dashboard Programme has published its own DPIA, covering the processing of personal data by MaPS to deliver the central digital architecture, the related services and the connection of pension schemes and providers to it. A MaPS provision of the MoneyHelper Pensions Dashboard will be covered in a separate DPIA. The PDP has stressed that its DPIA doesn’t cover the responsibilities of other parties who are connecting to the ecosystem and suggests that these entities DPIA should reflect the large scale processing that they will undertake.

So, at the very least, it would certainly be best practice for schemes to carry out a Data Protection Impact Assessment.

Samantha Howell (10:43)

Yeah, I agree. Thanks, Andy. You also mentioned that schemes should update their privacy notices. Why is that?

Andy Prater (10:50)

Privacy notices should be updated to reflect the potential sharing of member personal data with the Dashboard and potentially also further sharing of information, if any, with their administrator or ISP. As part of this, the notice should detail what personal data is processed, the legal basis for processing, and the third parties with access to the data. Essentially, compliance with dashboard’s requirements is a new form of data processing that wouldn’t have originally been envisaged when most privacy notices were put in place or last updated.

Samantha Howell (11:22)

Yeah, okay that makes sense. Are there any other actions that you think trustees could be taking to mitigate the cyber risk of the Pensions Dashboard Programme?

Andy Prater (11:30)

Yes, if they haven’t already, then trustees should update their risk registers to identify potential data and cyber risks relating to dashboards, which is an easy win. Schemes should also have an up-to-date data and asset map, as this helps trustees to understand their cyber risk in line with TPR’s expectation. Dashboards compliance may well lead to new data flows and a scheme’s data and asset map should therefore be updated to reflect this.

Samantha Howell (11:56)

Yeah, both of those actions make sense. And I would also encourage trustees to take this opportunity to think about their scheme cyber resilience more generally. For any scheme which have not already taken steps, or are taking ongoing steps to build their cyber resilience, pensions dashboard compliance could be a useful push to start thinking about what steps should be taken in this area.

So that wraps up our discussion on pensions dashboards from the cyber perspective. Thanks again to Andy for joining us. The key takeaways for trustees that I took from our discussion in this area are to put in place a DPIA for dashboards if your scheme doesn’t already have one, to update your schemes privacy notice, and to consider any other relevant actions including your contract with your scheme administrator and/or ISP.

That was another episode of Cyber and AI Bytes, part of the Burges Salmon Pensions Pod. If you’d like to know more about our Pensions and Lifetime Savings team or our cyber specialists throughout the firm and how our experts can work with you, then you can contact myself, Samantha Howell or any of the team via our website. And as we say every episode, all of our previous episodes are available on Apple, Spotify, our website or wherever you listen to your podcasts. Don’t forget to subscribe and thanks for listening