Pensions Pod: Cyber and AI Bytes – A Guide to Ransomware for Pension Trustees

Today, Amy and I will be talking about ransomware payment requests and what pension scheme trustees should do if they were faced with this difficult situation.

Amy, thanks so much for joining me today to talk about ransomware. This is now the UK’s most significant cyber threat and pension schemes are not immune. With attacks growing in scale and sophistication, trustees face a unique challenge. If the worst happens, should a ransom ever be paid?

Amy Khodabandehloo, Director, Burges Salmon (00:59)

It’s a question loaded with legal, regulatory and governance complexity and today we’re aiming to unpack what trustees need to know.

Samantha Howell (01:10)

Great, sounds good but before we dive into any of the legal considerations can we step back, go back to basics and ask what is ransomware?

Amy Khodabandehloo (01:20)

Sure, so ransomware is a form of malicious software that typically encrypts or exfiltrates an organisation’s data and the attackers demand payment in exchange for the release of that data. Sorry, Sam, you were going to ask a question.

Samantha Howell (01:35)

No, no, I was just going to say There’s lots of recent examples of that kind of attack. So, yeah, both in the pensions industry and wider.

Amy Khodabandehloo (01:50)

So yes, that’s right. If we think in a pensions context, specifically the Capita attack in March 2023, that exposed the personal data of over 6 million people, including members of 325 pension schemes.

And then looking more recently in a non-pensions context, the attack on M&S in 2025 caused weeks of disruption, including suspension of online orders, supply chain chaos, and wiped out £300 million in operating profit.

Samantha Howell (02:24)

Yeah, with real practical consequences there.

Amy Khodabandehloo (02:27)

Correct. And pension schemes, or their sponsors or third-party suppliers, may be attractive targets for ransomware attacks because of the large amounts of member data and assets that pension schemes hold.

Samantha Howell (02:42)

Yeah, of course and I think you know cyber criminals are starting to wake up to that fact. So, coming back to ransoms then, is it actually legal to pay a ransom?

Amy Khodabandehloo (02:48)

So, under English law, paying a ransom per se is not inherently unlawful, but the UK government does not condone making ransomware payments. Recent enforcement trends have showed increased scrutiny and organisations do need to be aware of the overlapping legal regimes that can make a payment unlawful. So thinking firstly about sanctions risk, if the attacker is on the UK sanctions list then paying them is a criminal offence. And that means that the list needs to be checked carefully before even thinking about making a payment. Turning next to terrorism laws, if there’s any reason to suspect that the money could fund terrorism, that’s also illegal, even if the group isn’t officially designated. And then finally, money laundering concerns. Ransomware groups are often linked to organised crime networks and making a payment could trigger anti-money laundering reporting obligations and could trigger a serious regulatory scrutiny. So, it’s worth keeping that in mind.

Samantha Howell (03:58)

Yeah, lots to think about then.

Amy Khodabandehloo (04:00)

Yeah, exactly. And trustees do need to remember that even if payment isn’t inherently unlawful, it could breach sanctions or terrorism laws. And importantly, paying a ransom does not absolve trustees of data protection obligations or regulatory scrutiny. And the ICO and the Pension’s Regulator do expect robust cyber resilience and instant reporting. Also, the government is looking to introduce legislation to ban the payment of ransoms in the public sector and to impose stricter reporting requirements on all victims of cyber attacks, public and private sector. So, we’ll need to keep a close eye on how that progresses.

Samantha Howell (04:42)

Yeah, so payment of a ransom definitely isn’t a defence then when you’re looking at the incident after the fact to work out any lessons learnt. In a pensions context then, do you think a ransomware requests a question for trustees or sponsoring employers?

Amy Khodabandehloo (04:51)

So, for trustees, the position on paying a ransom is most likely to be a conversation about the employer’s approach, particularly because trustees would find it difficult to pay a ransom out of the pension fund given their fiduciary duties.

Samantha Howell (05:15)

Yeah, of course and it’s highly unlikely to be an authorised payment for the purposes of the pensions tax implications so yeah there would likely be penal tax charges as well as having to pay that if that was a scenario trustees found themselves in.

Amy Khodabandehloo (05:33)

Yeah, exactly. I think the important thing for trustees is to consider whether they’re prepared for the conversation with the scheme employer about whether or not to pay a ransom.

Samantha Howell (05:43)

Yeah, what about cyber insurance? There’s more and more talk about this. How does that fit into all of this?

Amy Khodabandehloo (05:50)

So, the cyber insurance market has evolved and cover is now more prevalent and cheaper than before. Policies can cover ransomware payments. But for policies to be worth anything, the policyholders need to be aware of the insurer’s requirements. Again, in a pensions context around ransomware payments, the requirements are most likely to be relevant to the employer. But some trustees, particularly, for example, professional trustees with their company hat on, could find themselves also needing to look at this.  Policies are likely to require pre-approval, sanctions checks, incident documentation, et cetera, before a ransom payment will be covered by the policy. So crucially, it’s really important to follow policy conditions and know what’s required because failing to do so could invalidate cover.

Samantha Howell (06:43)

Yeah, and making sure you can actually put your hands on that policy before you’re trying to scramble around to respond to a ransomware request.  So, it’s clear that I suppose a ransomware is not just a technical issue, it’s also a legal and governance challenge, so a coordinated response will be needed. What else should trustees and employers be considering?

Amy Khodabandehloo (06:51)

Yeah. So there’s no guarantee of recovery or safety of data if you pay a ransom.  Attackers might not honour promises to delete data and victims might face further demands. So, it’s really important to remember that.  Paying can also signal vulnerability and it might make organisations subject to a repeat target, which can also have a reputational impact as well.  It’s important to think about all these things upfront with the scheme employers, as trustees, who’s going to lead if the scheme’s compromised, who decides whether a ransom’s paid, how are costs allocated? And decisions really do need to be documented, whether that’s an employer-only decision, trustee-only, or the employer and the trustee together. It’s really important to involve legal counsel with that and align with any pre-existing incident response plans, which there should be.  If you engage lawyers early, then the privilege can help to preserve those discussions in terms of confidentiality. It’s also worth checking any relevant trust deeds. Is there even the authority to use scheme assets for a ransom, for example? Many deeds won’t contemplate this, but some might. So, it’s just important to be really all encompassing when you’re thinking about this issue.

Samantha Howell (08:23)

That’s been really interesting, thanks. In terms of a conclusion then, it would be helpful if you could just summarise some key takeaways for the listeners.

Amy Khodabandehloo (08:33)

Certainly. So, number one, plan ahead. Align legal, IT, leadership teams on your response strategy before an attack happens and make sure that legal counsel are engaged early to preserve privilege and manage risk. Secondly, agree your stance on any ransom payments. So as a trustee, ask yourself, do we know who decides if a ransom needs to be paid?  Work out with the scheme – to decide when they would pay, when they would refuse, when they might consider paying a ransom.  And think about what input the trustees might want or need to have. Trustees need to keep in mind their fiduciary duties to the scheme and its members and to comply with the Pension Regulator’s governance expectations. Thirdly, engage with the scheme sponsor on insurance, understand what’s covered, excluded and required for ransomware attacks.

Consider all policies – cover isn’t necessarily limited to a standalone cyber policy. And fourthly and finally engage with the employer on resilience. So have strong backups, tested recovery plans and doing that can help significantly reduce the pressure to pay.

Samantha Howell (09:51)

Great, well that wraps up our discussion on ransomware payments and the legal landscape. Thanks again to Amy for joining us. The key takeaway for trustees that I took from our discussion in this area is to engage with your scheme sponsor about the issue ahead of time wherever possible.

That was another episode of Cyber and AI Bytes, part of the Pensions Pod. If you’d like to know more about our Pensions and Lifetime Savings team or our cyber specialists throughout the firm, and how our experts can work with you, then you can contact myself, Samantha Howell, or any of our team via our website. As we say every episode, all of our previous episodes are available on Apple, Spotify, our website, or wherever you listen to your podcasts. Don’t forget to subscribe and thanks for listening.