Cyber risk and the employer covenant: An evolving area from the 2026 AFS

The Pensions Regulator’s 2026 Annual Funding Statement (AFS) takes a positive view. Funding levels have improved significantly, and many schemes are transitioning from deficit repair to endgame planning. Within that broader narrative sits an important reminder, and one that may become increasingly relevant for trustees over time: almost in passing, the AFS notes that trustees should “remain alert to emerging and ongoing risks that could affect an employer’s covenant, for example: cyber, climate and sustainability.” It is only a short reference, but it reinforces something that is easy to overlook: cyber risk is not just a scheme-level issue. It is something that could directly affect the employer’s ability to support the scheme.

That distinction matters.

Trustees have, for some time, focused on cyber resilience within the scheme, particularly in relation to administrators, member data and operational continuity. Those disciplines are now well embedded across many Schemes. What feels different in the AFS is the extension of that thinking outward to the cyber vulnerability of the sponsor. The issue is not simply operational disruption. A significant cyber event at the employer could lead to loss of revenue, business interruption, remediation costs and reputational damage, all of which can weaken covenant support, potentially very quickly.

It appears to be a push to ensure trustees take a rounded and forward-looking view of covenant risk. Cyber risk, in this context, becomes one of several exposures that may influence employer strength. The practical question is how far trustees should go.

The 2026 AFS, in line with the wider funding regime, points to proportionality. For some schemes, particularly those that are small, well-funded or supported by employers with relatively limited cyber exposure, addressing this risk may be relatively straightforward. A small number of targeted questions, backed by public disclosures, may provide enough reassurance.

This will not be true for every scheme. Where funding still depends heavily on the covenant, or where the sponsor operates in a sector with greater exposure to cyber threats, the issue carries more weight. Businesses that are highly digital, data-rich or have long and complex supply chains, such as those in financial services, healthcare, retail or infrastructure, face a higher likelihood of attack and potentially more significant consequences. The challenge is less about identifying the existence of cyber risk, and more about understanding its potential impact on covenant strength and how that should be reflected in covenant monitoring frameworks.

In many cases, this will not require a fundamental change in approach. Cyber considerations can often be integrated into existing covenant monitoring processes alongside other drivers of downside risks. For well-funded schemes, or for schemes with employers with low cyber risk exposure, that may be enough. But where exposure is greater, or less clear, a more detailed assessment may be needed. That could involve developing a clearer view of the sponsor’s cyber resilience, governance, and the potential financial consequences of a severe but plausible incident. Much of this will already likely have been evaluated by the sponsor or its advisers, and the AFS is not asking trustees to become cyber specialists. What it asks of trustees is to recognise that cyber risk can have covenant consequences, and to respond in a way that reflects their scheme’s specific circumstances.

As schemes continue their journey towards endgame, the focus is increasingly on managing downside risks. Cyber risk may only occupy a few lines in this year’s AFS, but for some schemes it will merit more focused consideration, particularly where a full understanding of employer cyber risk properly requires a combination of covenant insight and specialist cyber expertise. Where it does, the most useful view usually comes from two perspectives working together. Covenant advisers understand what weakens employer support and how to reflect it in monitoring; cyber specialists can judge how likely an incident is, how damaging it could be, and how well prepared the sponsor is to withstand it. In combination, they can help trustees concentrate effort where exposure is greatest, particularly in higher-risk sectors. That expertise need not be confined to covenant monitoring: for many trustees it is a natural extension of the cyber assurance they already obtain over the scheme’s own data and processes.

Whatever a scheme’s circumstances, good preparation rests on the same foundations, and there are four steps we believe every business and every trustee should have in place:

• A comprehensive cyber incident response plan, developed alongside business continuity and disaster recovery plans.
• Regular testing of that plan, so it holds up under real pressure and not only on paper.
• Board-level workshops to bring the risk into focus and support planning.

Specialist external advice wherever in-house cyber expertise is limited This is an area where joined-up thinking matters. Grant Thornton’s covenant advisory and cyber teams work together to help schemes and employers understand cyber exposure and how it could affect covenant support. As the AFS gives cyber risk more attention in covenant assessment, that combined view is likely to become more useful for trustees.

By Luke Hartley, Pensions Covenant Advisory, and James Wilmer, Cyber Client Relationship Director