The Austrian Financial Market Authority (FMA) today published its Guide on IT Security for Pensionskassen (Pensions Funds). As a result the high supervisory standards for IT and cyber security that has already been established in other areas of the financial market has now been extended to cover occupational pensions undertakings. During the course of 2018, the FMA has already issued similar guides for banks, insurance companies and investment services. Undertakings active in the Austrian financial market therefore profit from consistent frameworks for the digitalisation of their business models.
Pensionskassen form a key pillar in the pension provision landscape in Austria. The FMA’s Guide on IT Security ensures that this key pillar remains stable even in a digitalised financial market. A study by the International Monetary Fund (IMF) recently highlighted how relevant IT and cyber risks are in the financial market. According to the study, cyber attacks alone cause annual damage to the global financial system of around USD 100 billion annually.
In light of this, the FMA has already made IT security one of its priorities for supervision and inspections during the year that is currently ending. At the end of November it announced that this priority will also remain one during 2019. The priority for 2019 will focus on the practical implementation of the Guides. “This year we have focussed on the underlying theory, next year the focus with shift towards the practical side. We will visit entities and will check whether our requirements are also actually being met,” remarked the FMA’s Executive Directors, Helmut Ettl and Klaus Kumpfmüller.
The establishment of a comprehensive IT Risk Management and Information Security Management is a key element of the Guide. Pensionskassen are required to draw up their own IT strategy and to establish an IT governance, which are respectively overseen by the management board. Helmut Ettl and Klaus Kumpfmüller added, “Just having an IT strategy is not sufficient. A strategy on paper can be very tolerant. We therefore demand that the issue is actually granted the utmost priority. IT security is a top-level concern.”
Depending on the size of the entity and the individual risk situation it may also be necessary to establish an information security officer, who is responsible for ensuring the integrity and confidentiality of the data handled in the entity. Pensionskassen ultimately determined which methods, systems and processes are appropriate in relation to IT security within the scope of the standards prescribed by the FMA. The FMA thereby consequently observes the principle of proportionality in the Pensionskassen sector.
The “FMA Guide – IT Security in Pensionskassen” (FMA Leitfaden IT-Sicherheit Pensionskassen) can be found in German only on the FMA website at:
https://www.fma.gv.at/fma/fma-leitfaeden/
Journalists may address further enquiries to:
Mr. Stefan Maier
+43/(0)1/24959-6001
+43/(0)676/882 49 426