Question to the Cabinet Office:

To ask the Minister for the Cabinet Office, whether his Department had made an assessment of the adequacy of Capita’s cybersecurity protocols prior to the March 2023 data breach.

The Cabinet Office (CO), which is responsible for managing the contract with Capita for the Royal Mail Statutory Pension Scheme (RMSPS), ensured the adequacy of Capita's cybersecurity protocols through a robust contractual framework. Capita is required to adhere to Government Security standards and the Security Schedule of the contract, which includes providing annual independent penetration testing by a National Cyber Security Centre-accredited team and maintaining security accreditations such as ISO27001 and Cyber Essentials Plus.

These standards and Capita’s security posture are overseen by CO Information Assurance professionals and captured via regular reporting and audits. It should be noted that all of the accredited RMSPS systems were not compromised during the Capita cyber attack and remained secure; however, a small number of scheme members were unfortunately impacted when some data was extracted from a separate Capita finance file related to compensation payments.