Articles - Emerging cyber risks in the pension sector

 

As schemes become increasingly data-driven and interconnected, emerging cyber risks such as Artificial Intelligence (AI), Post-Quantum Risk (PQR) and the Pensions Dashboard Programme (PDP) are further shaping the risk landscape for the pension sector.

 

In response, trustees are being asked not simply to understand these risks, but to demonstrate effective governance, oversight and preparedness. One increasingly vital component of that considers the alignment of business continuity and cyber incident response arrangements – the cyber incident 'when, not if' mantra most certainly applies.

In this article, we will look to explore those emerging risks in a pensions context whilst also placing a spotlight on the importance of business continuity and cyber incident response planning, and crucially what these all mean for trustees and the sector.

 

AI is increasingly embedded in the systems used by service providers across the pension sector – from automating administration tasks and customer interactions, to enhancing security monitoring and fraud detection. While this can improve efficiency and resilience, it raises important questions regarding governance and security for trustees.

 

AI systems can introduce new dependencies, reduce trust and transparency around decision-making, whilst also increasing reliance on data quality and model integrity. Trustees do not need to understand how algorithms are built, but they do need assurance that AI-enabled processes are governed, tested and monitored appropriately by their providers. From a trustee perspective, the key questions are practical and outcome-focused:

 

 

AI does not and will not remove trustee responsibility; it reinforces the need for clear oversight and structured governance.

 

Post-quantum risk refers to the future capability of quantum computers to break the cryptographic protections that currently secure data and systems. While this threat remains emerging rather than imminent, it is particularly relevant for pension schemes because of the long-lived nature of the data they hold and process.

 

Member data, benefit records and identity information often need to remain confidential for decades. How is that relevant? It means that data stolen today could potentially be decrypted in the future – an attack referred to as 'Harvest Now, Decrypt Later'. In the short-term, trustees must engage with their service providers in order to build confidence that they (service providers) are aware of this risk and are planning for future cryptographic change as part of their longer-term technology roadmaps.

 

Trustee governance in this area should focus on awareness and assurance rather than immediate remediation. A scheme does not need to rush into pushing their service providers for technical upgrades, but it should be satisfied that key providers are monitoring the risk, following industry standards and are well positioned to adapt when required or technologies evolve.

 

The Pensions Dashboard Programme (PDP) is one of the most significant structural changes to the pensions ecosystem in recent years. It increases data visibility, connectivity and access for members – but it also expands the cyber threat surface for schemes. A cyber incident affecting PDP connectivity – whether directly or via a service provider – could have reputational, regulatory and operational consequences.

 

Crucially, and while the PDP introduces new intermediaries and digital infrastructure, accountability for data accuracy, security and member outcomes will ultimately remain with the trustee, who must ensure that appropriate governance, assurance and incident readiness across all participating parties is established.

 

Across all of these emerging risks, a common theme emerges; trustees will not be expected to design or monitor technical controls, but they will be expected to govern them – even indirectly where services are outsourced to a range of providers.

 

Effective cyber risk management in pensions is less about tools and more about clarity of roles, governance decision-making and incident preparedness. Regulators increasingly expect trustees to demonstrate that cyber risk is understood, owned and integrated into wider scheme governance, rather than addressed in isolation. This is where the alignment of business continuity and cyber incident response becomes critical.

 

Historically, business continuity (BC) plans and cyber incident response (IR) plans have often been developed in isolation of each other. Are they the same thing? While they are related they are distinct – business continuity plans focus on maintaining operations, while the incident response plan on responding to cyber-attacks. In practice, a cyber incident is highly likely to trigger a business continuity event. For trustees, separation of these plans could create confusion at the worst possible moment. During a cyber incident, trustees may need to decide:

 

 

An aligned approach ensures that cyber incidents are treated as business-impacting events, not just technical failures or outages. Both BC and IR plans, designed to work as a single choreography, should clearly establish how trustees, scheme executives and advisers interact, how decisions are escalated and how accountability is recorded.

 

Trustees are not expected to manage incidents minute-by-minute, but they are expected to provide oversight, challenge and direction. Effective governance (of an ongoing incident) ensures that trustees can focus on strategic decisions rather than operational detail and a well-designed plan will allow trustees to:

 

 

Just as importantly, post-incident governance – including lessons learned and plan updates – demonstrates continuous improvement and regulatory maturity.

 

One of the most effective ways for trustees to gain confidence is through regular assurance and scenario testing. Cyber simulations and continuity exercises allow trustees to explore their role in a safe environment, testing decision-making 'muscle memory' and identifying plan or procedural gaps before a real incident occurs. These exercises reinforce the principle that cyber preparedness is not a one-off activity, but an ongoing governance responsibility that evolves with the threat landscape.

 

Emerging cyber risks are reshaping the pension landscape, but they're unlikely to fundamentally change the trustee's role. Trustees remain accountable for protecting members, ensuring continuity of critical services and meeting regulatory expectations.

 

What has changed is the complexity and interconnectedness of the risks involved. AI, post-quantum developments and PDP all introduce new dimensions of uncertainty, but they can be managed effectively through strong, trustee-led governance.

 

By aligning business continuity and cyber incident response plans and processes, focusing on decision-making authority and maintaining visibility of emerging risks, trustees can demonstrate resilience, protect member outcomes and meet their duties with confidence.