Skip to main content
main content, press tab to continue
Article | Global News Briefs

EU, US: New requirements for pension and benefit plans to manage cyber risks

By Christopher Mayo and Stephen Douglas | September 30, 2024

Businesses in the EU and U.S. are facing tighter regulations around cybersecurity and information technology to protect financial data, health and welfare plan information, and plan assets.
|Health and Benefits|Retirement
N/A

Employer Action Code: Act

Financial entities, which include institutions for occupational retirement provision (IORPs[1]) that have 15 or more participants, must comply with the European Union’s (EU’s) Digital Operational Resilience Act (DORA) by January 17, 2025. DORA is intended to strengthen the EU financial sector's resilience against cyber attacks and other information and communication technology (ICT) disruptions, harmonize ICT risk management regulations across EU member states, and improve communication and information sharing between financial institutions and regulators. DORA was enacted in 2022 as a regulation, meaning that it applies to EU member states without the need for transposition into domestic law. Individual countries may, however, release local implementation guidance (e.g., as Ireland’s Pension Authority and Germany’s financial regulator — BaFin — both did in July 2024).

Similarly, in 2021 the U.S. Department of Labor (DOL) issued cybersecurity requirements for plan sponsors and other stakeholders of employee benefit plans to safeguard plan data, personal information and plan assets. On September 6, 2024, the DOL released updated guidance to confirm that the 2021 requirements apply to all benefit plans, including health and welfare plans.

Key Details

DORA and its supporting regulatory technical standards set out extensive detailed requirements for financial entities to establish policies and procedures, organized under five core pillars:

  • ICT Risk Management: Identification, assessment, mitigation and monitoring of ICT risks
  • Incident Management: Reporting of major ICT incidents to regulators, with clear timelines and procedures
  • Digital Operational Resilience Testing: Regular testing of systems and infrastructure to identify vulnerabilities
  • Service Provider Management: Establishment of stringent requirements for outsourcing ICT functions to third-party vendors
  • Information Sharing and Cooperation: Encouragement of financial entities to share information about ICT threats and incidents with each other and regulators

Employer Implications

The management body of a financial entity is responsible for implementing DORA’s requirements. For IORPs, the Pension Foundation Board (or equivalent) is considered the relevant management body while employer sponsors are clear stakeholders. Employers can bring their direct experience in establishing similar policies and procedures for their business as well as plan and take actions to ensure compliance by the January 17, 2025 deadline. IORPs with 15 to 99 members are subject to somewhat lesser requirements under DORA (i.e., they are exempt from performing advance testing of ICT systems and adopting a strategy on ICT third-party risk).

Footnote

  1. As defined in EU Directive 2016/2341 on the Institutions for Occupational Retirement Provision (IORP II Directive) Return to article

Contacts


Senior Director, Integrated & Global Solutions

Senior Director, Retirement and Executive Compensation

Contact us