Question to the Cabinet Office:
To ask the Minister for the Cabinet Office, what assessment the Government has made of the security of civil servants' pensions data following the cyber attack against Capita in March 2023.
The Civil Service Pension Scheme (CSPS) contract has been structured to ensure that robust Information Security including Cyber Security controls are in place. This has been a fundamental principle from the inception of the procurement. As such the procurement has built measures into the CSPS contract and supporting requirements to ensure that Information Security including Cyber Security is of paramount importance throughout all stages of transition and the contract term. This includes:
CSPS requirements including a robust set of security principles that are up to date with the latest His Majesty's Government (HMG) requirements, specifically no off-shoring of CSPS data, annual IT health checks, a monthly Security Working Group to review and investigate any issues relating to security and ongoing requirement to provide Cabinet Office Digital team, assurance against the Cyber Assessment Framework (GovAssure) standard.
Embedding within the CSPS contract is the requirement to ensure that Capita, and the administration solution, will be subject to a rigorous accreditation process prior to any CSPS data being migrated to their infrastructure.
Enhancements being made to the standard Model Service Contract Security Schedule (2.4) to ensure that the Cabinet Office has the contractual leverage to enforce proactive and reactive controls for cyber and data security.