“It’s not if, but when” is one of the most concerning things I hear when discussing cyber security with the industry.  And the evidence to support it is unignorable.

Government statistics published last month reveal that just over four in ten businesses (43%) and around three in ten charities (28%) experienced any kind of cyber security breach or attack in the last 12 months. This equates to approximately 612,000 UK businesses and 57,000 UK charities.   

In its 2025/26 Global Pension Risk Survey, AON reported that the proportion of pension schemes impacted by cyber incidents has risen steadily from 3% in 2019 to 17% in 2025 and reflects growing concern across trustees and administrators.  

And despite better industry awareness, AON’s survey reveals a slight reduction in activity around common cyber resilience measures. For example, only 41 percent of schemes have tested their incident response plans, down from 49 percent in 2023 

These figures are a wake-up call. Trustees and their advisers can no longer afford to treat cyber security as a tick-box exercise. It’s a strategic priority that trustees must not ignore.    

Recent cases highlight that pension schemes are not immune to cybercriminals, and the consequences of an attack can be devastating - financially, reputationally and operationally. 

The pension sector continues to evolve rapidly, and one area where urgency must match pace is cyber resilience.  

In its Cyber Security Principles, the Pensions Regulator (TPR) makes its expectations clear: schemes must assess cyber risks, implement robust controls, and maintain dynamic incident response plans.  

Cyber risk is now embedded in TPR’s General Code of Practice and trustees are expected to review their cyber governance annually-or more frequently if operations change. This is not optional. It’s a growing regulatory expectation. 

Tackling the threat    

To support the industry, we deliver cyber security training as part of our Introduction to Pensions training courses.      

And last year, we ran a brand-new Cyber Training programme tailored for pension professionals and delivered by experts from Crowe and Eversheds Sutherland. Topics included legal obligations, incident response, and embedding cyber policies into scheme governance.  

We spoke to Crowe and Eversheds Sutherland for their views on the importance of addressing cyber security as a priority issue in the current climate.  

Daniel Sibthorpe, Director of Cyber Security and Counter Fraud at Crowe, said building cyber resilience starts from the frontline. He told us: “Understanding the fundamentals of cyber risks and how they manifest should be something that is encouraged by all organisations, irrespective of industry, size or country that they’re based in.  

“As part of this, receiving tailored training sessions is imperative for identifying how cyber risks could impact your scheme and members. Pension schemes are built on trust and the safeguarding of its members’ financial future, meaning it is now more important than ever that trustees are proactively seeking to learn and educate themselves on emerging risks.”  

A change of policy direction   

Lorna Doggett, Partner, Data Privacy & Cybersecurity, at Eversheds Sutherland, said: “From a legal perspective we know from experience that members look to the schemes themselves for help and for compensation claims when cyber incidents happen at service providers. Members are also claiming against administrators, including a number of class actions supported by claims management companies, but schemes remain accountable.  TPR has said it’s a case of ‘if not when’, and breaches have attracted regulatory fines.”   

Last autumn the ICO issued the first significant fine (£14m) in relation to cyber security and pensions administration failings at an administrator. Lorna continued: “Cyber security and data protection is about governance and control, crisis management rehearsals and preparedness in the face of a cyber threat landscape which is, exacerbated by increasing prevalence of AI (including deepfakes) and supply-chain vulnerability.  Nobody can avoid all cyber risk but what’s more important is having a robust audit trail to demonstrate there are appropriate measures in place.”   

Lorna noted that the Court of Appeal case of Michael Farley helps us understand there isn’t a ‘de minimis’ (or minimal) threshold for distress claims and they can be successfully brought provided there’s proof of that distress.     

Financial losses can also be relevant especially if bank account details or fraud risk arises for members.  Lorna added: “Cyber criminals understand what a rich source of data schemes have and that certain classes of member may be particularly vulnerable.  

“The proposal from the Home Office to ban the public sector from paying ransoms and to have all other organisations seek (in essence) approval before they pay any ransom indicates the direction of travel, though no primary legislation yet been introduced to enact these proposals.  The UK is a significant target for cyber-crime and pension schemes are no small part of that. There are lots of learnings from the ICO decision about fines recently in the sector as well.”   

Gaining the right skills 

At PMI, we believe cyber security is a boardroom issue. It’s about protecting members’ data, scheme assets, and public trust. I urge all pension professionals to ensure they have the right skills to properly assess the risk and take appropriate action.    

We have now published details of our Cyber Training programme for 2026 and will announce more details in due course. For information about this and all training, please email training@pensions-pmi.org.uk