The Digital Operational Resilience Act for Pension Schemes: Considerations for Trustees
In this report, we examine the implications of the Digital Operational Resilience Act (“DORA”) for trustees of occupational pension schemes.
As discussed in our earlier briefing, DORA was adopted by the European Council in November 2022, by means of Regulation EU 2022/2554 and Directive 2022/2556, and came into force on 16 January 2023. DORA is intended to consolidate and upgrade information and communications technology (“ICT”) risk requirements in the financial sector, and will apply in full from 17 January 2025. Trustees of occupational pension schemes will be responsible for ensuring compliance with DORA, and should familiarise themselves with the new requirements in advance of the compliance deadline.
Background to DORA
DORA acknowledges that high levels of interconnectedness across financial entities, including the interdependence of ICT systems, creates a systemic vulnerability and a risk for cyber incidents to quickly spread from individual financial entities to the entire financial system. DORA aims to strengthen the IT security of financial entities including banks, insurance companies and investment firms, to ensure resilience in the event of a severe operational disruption.
DORA for pension scheme trustees
DORA will apply to all “financial institutions”, which includes occupational pension schemes with 15 or more members, and requires the management body of a financial entity to hold ultimate responsibility for managing ITC risk. In respect of an occupational pensions scheme, the scheme’s trustees will be considered the relevant management body. Trustees will be required to actively keep up to date with the necessary knowledge and skills to assess ICT risk and the impact on the pension scheme, and ensure they undertake regular training. Furthermore, trustees of occupational pension schemes will be required to:
- ensure that schemes have a comprehensive ICT risk management policy as part of the overall risk management framework by the European Union (Occupational Pension Schemes) Regulations 2021 (“IORP II”);
- maintain and review a comprehensive DORA resilience testing programme, which will conduct appropriate tests on ICT systems on an annual basis;
- have a comprehensive programme for testing and minimising ICT risks;
- review contractual arrangements with third-party service providers and key function holders to ensure that they are compliant with DORA; and
- report major ICT-related incidents to the relevant competent authority, being the Pensions Authority.
DORA will implement governance rules by way of Regulatory Technical Standards (“RTS”) and Implementing Technical Standards (“ITS”), which are intended to harmonise the tools, methods, processes and policies available to financial institutions. Following public consultation, the first batch of technical standards were submitted to the European Commission for review on 17 January 2024. These technical standards prescribe, among other things, detail to be included in policies relating to the use of third-party ICT providers; criteria for the classification of ICT-related incidents, including whether the incident was ‘major’ or constitutes a ‘cyber threat’; and measures to be included as part of ICT risk management frameworks.
The second group of technical standards were published for public consultation on 8 December 2023, and submissions can be made until 4 March 2024. The second technical standards include guidelines on the estimation of aggregated annual costs and losses caused by ICT incidents, and specify the content, timelines and templates to be used for incident reporting.
Next Steps for Trustees
It is expected that the Pensions Authority will issue guidance on DORA and its implications for occupational pension schemes.
Trustees should engage with their advisors to ensure that they are familiar with the requirements of DORA in advance of the January 2025 deadline. Some next steps for trustees include:
- Establishing a DORA implementation team;
- Conducting a gap analysis of existing ITC risk management frameworks (including those established following IORP II) against DORA requirements;
- Review any ITC contract arrangements and engagements with ICT third-party service providers; and
- Conduct a cyber hygiene review.
Also contributed to by Beth Devlin
This document has been prepared by McCann FitzGerald LLP for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.