The Pensions Regulator (TPR) has written to a number of defined benefit and defined contribution schemes following a data breach at Capita.
At the end of March, Capita revealed it had experienced a cyber incident, one which had primarily impacted access to internal Microsoft Office 365 applications. At the time it said there was "no evidence of customer, supplier or colleague data having been compromised".
However, in an update on 20 April, the business process services firm said there was "some evidence of limited data exfiltration" among some sections of its server estate which could include customer, supplier or colleague data.
Capita provides pensions administration services for over 450 clients, although it is not yet clear whether scheme data has been impacted by the cyber incident.
In its letter to schemes, the regulator reminded trustees of their duties to members - urging them to "determine whether there was a risk to their scheme's data".
A TPR spokesperson said: "We take IT security and the risk of cyber attacks extremely seriously. That's why we have issued guidance for trustees.
"In light of the cyber incident directed at Capita, we have asked trustees of schemes which employ Capita as their administrator to speak with the company to understand more about the situation and to help determine whether there is a risk to their scheme's data.
"If a trustee establishes that their scheme has suffered a data loss, they have a duty to notify TPR, other authorities and impacted individuals. Our communication requires trustees to read TPR's and the Information Commissioner's Office (ICO) guidance on cyber and IT security and to make sure they are familiar with their responsibilities.
"We are also asking schemes to report to us what steps they have taken to ensure their obligations as data controller have been met."
