The Pensions Regulator’s Market Oversight Report on administrator relationships, released last month, landed heavily and underscored issues that demand the industry’s attention. The message was clear: pensions administration is no longer a back-office necessity. It’s a strategic risk, a regulatory focus and, when done well, a critical lever for improving member outcomes. But the report also exposed a growing fault line, cyber resilience across the pensions administration market is wildly inconsistent.
Daniel Taylor, Client Director at Trafalgar House, commented: “Some administrators are ahead of the game, operating mature frameworks, with regular penetration testing, proactive governance, and certifications such as ISO 27001 and ISO 22301. Others, frankly, are nowhere near. This isn’t a technical detail, it’s a fundamental threat to the security of millions of savers’ personal and financial data. The pensions sector is effectively running on a “weakest link” model and hoping it holds. If the industry wants to protect members, safeguard trust, and maintain stability, we need a coordinated, market-wide approach to cyber resilience and operational readiness. That means:
• Standardise – set clear, minimum expectations for cyber maturity across the market, aligned to trusted frameworks such as the NCSC Cyber Assessment Framework, ISO standards, and PASA guidance.
• Assess and accredit – make cyber readiness a core component of administrator selection, onboarding and ongoing review, not just a tick-box question in a due diligence pack
• Support, don’t just scrutinise – smaller or less mature administrators must be given the tools, guidance, and resources to meet the bar, not left behind without a path to improvement.
“If we get this wrong, regulation won’t raise the bar, it’ll accelerate market exits at a time when the sector is already consolidating at pace. The report makes one uncomfortable truth clear: a lack of investment always shows up. It manifests in underdeveloped governance, stretched systems, missed SLAs, and members left waiting too long for basic answers about their pensions. Cyber security and operational resilience aren’t optional extras, they are the foundations of a functioning pensions system. If we talk about administration as critical to member outcomes, it’s time to act like we believe it. That means backing accreditation, raising cyber standards and funding the future.”
|
