U.K. pension administrator Capita has informed clients of possible breaches related to a March 22 cyber incident, while regulators are asking pension fund trustees to report on steps taken to protect participant data.
In addition to The Pensions Regulator, the Financial Conduct Authority contacted other Capita corporate clients to make sure they are assessing the extent of possible data compromises that could affect consumers.
TPR issued guidance in 2018 for pension trustees on addressing cybersecurity risks.
A TPR spokesperson said in an emailed statement Friday that in light of Capita's cyber incident, "we have asked trustees of schemes which employ Capita as their administrator to speak with the company to understand more about the situation and to help determine whether there is a risk to their scheme's data. If a trustee establishes that their scheme has suffered a data loss, they have a duty to notify TPR, other authorities and impacted individuals."
The spokesman said that trustees are required to read guidance on cyber and IT security "and to make sure they are familiar with their responsibilities. We are also asking schemes to report to us what steps they have taken to ensure their obligations as data controller have been met," the statement said.
TPR declined to name the pension funds receiving the communication or to comment on the number, which are reportedly in the hundreds.
On April 20, Capita issued a statement that it experienced a cyber incident on April 3 that primarily impacted access to internal Microsoft Office 365 applications and potentially impacted 4% of users.
Based on its subsequent investigation so far, "it appears that the incident arose following initial unauthorized access on or around 22 March and was interrupted by Capita on 31 March," That action restricted the potential impact to around 4% of its server estate, with some evidence so far of limited data exfiltration that could include customer, supplier or colleague data, and has since restored virtually all client services impacted, Capita said in the April 20 statement.
A call to Capita was not immediately returned.