European pension fund achieves over €60,000 in annual savings and 75% reduction in workload with migration to CyberArk Identity Security Platform

Summary

Faced with an expanding attack surface, tough financial regulations, and a strategic shift to a cloud-first operating model, this leading European pension fund decided to migrate to the cloud with the CyberArk Identity Security Platform. While the SaaS solution represented a higher upfront cost, the organization quickly realized a strong return on investment with savings of over €60,000 a year. It also gained meaningful operational benefits, including expanded CyberArk Secure Infrastructure Access capabilities, improved user experience, reduced application and data center costs, and the ability to free staff to focus on higher-value, business-critical work.

Company profile

The European pension fund business was founded in the late 1960s and manages around €255 billion in assets for almost six million participants. It is one of the top ten financial institutions in Western Europe and one of the world’s largest institutional investors and pension funds.

Employees:  2,000

Challenges

The realities facing this European pension fund had all the makings of a perfect storm: increasing cyberattacks, a cloud-first strategic initiative, and a demand for greater efficiency set against tough financial regulations. Anticipating these demands, the organization invested in the CyberArk Identity Security Platform to manage privileged access across its physical server environment.

The European pension fund manages around €255 billion in assets for almost six million participants. Its IT infrastructure comprises both a physical data center and a cloud environment, using Microsoft applications along with several in-house developed pension management systems. The business manages 3,000 human identities and 13,000 machine identities supported by 500 CyberArk users and 1,500 CyberArk vaults. In the data center, 50 servers run CyberArk for use cases such as admin access, session control, onboarding, and DevOps.

The company’s decision to adopt a cloud-first strategy and move business systems and applications from on-premises to Azure required a tool to secure and manage its cloud environment. Given the volume of personal and sensitive data it manages, the organization needed to protect against external threats while also mitigating internal fraud risk.

In parallel, the pension fund needed to comply with several financial regulations. These include the EU’s new Digital Operational Resilience Act (DORA), introduced in 2025 to ensure organizations can withstand digital disruptions and cyber threats, as well as the SWIFT Customer Security Programme (CSP), a mandatory framework outlining the security controls SWIFT users must adopt to protect against cyber threats, secure local environments, and prevent fraud.

To support these requirements, the organization launched a project to migrate its CyberArk Privilege Access Management (PAM) Self-Hosted solution to CyberArk Privilege Cloud. The decision reflected both familiarity and operational confidence in CyberArk as one of the best solutions in the market.

“In the Netherlands, most financial businesses like pension funds, banks and insurance companies use CyberArk as their privileged access and identity management solution,” stated the head of identity & access management at the pension fund. “We are used to CyberArk, we have CyberArk knowledge, and it’s a great privilege access management solution.”

Solutions

The pension fund started using CyberArk in the early 2020s. Migrating to SaaS represented the next step in the pension fund’s development of its CyberArk Identity Security Platform, supporting just-in-time access, reducing standing privileges, and aligning privileged access controls with its broader cloud-first operating model.

“Migrating to CyberArk Privilege Cloud has enabled better integration with our other CyberArk platform solutions and with other vendor products, helping to make our overall security position more resilient and agile,” added the head of identity & access management. “Now we are planning to switch to other SaaS versions of the CyberArk portfolio, including CyberArk Certificate Manager.”

The CyberArk Identity Security Platform sits alongside other security systems, including Microsoft Active Directory and Azure Active Directory. The migration was managed jointly between the pension fund, CyberArk Professional Services and CyberArk business partner Xalient. Together, they completed the three-phase migration in 16 months with no downtime and noted that it could be executed in as little as six months with a continuous schedule. The migration used a phased approach:

• Phase 1: Executed a data clean-up to evaluate the existing on-premises environment. This effort, which took a couple of months, reduced the number of platforms requiring migration from 30 to six, significantly shortening the overall migration timeline.
• Phase 2: Migrated all admin users.
• Phase 3: Migrated machine CCP users with a phased weekend approach to ensure business continuity.

With this schedule, they were able to achieve full migration with no disruption to the business or end users.

“For any business planning to migrate to SaaS, I recommend using config and infrastructure as code because it saves a lot of time and prevents you from making mistakes,” advised the head of identity & access management. “Also, you should clean up your on-premises environment first, so you do not take redundant stuff to the cloud environment. We had about 30 on-premises platforms with policies on each. We cut that number to just six in the cloud, which also made migration faster.”

Results

Migrating to SaaS with CyberArk Privilege Cloud delivered clear, measurable benefits to the pension fund, ranging from lower costs and improved efficiency to streamlined compliance and a faster, more intuitive user experience.

Immediately, the move enabled the organization to dramatically reduce the number of servers needed to run CyberArk from 50 on-premises to just six in Azure using CyberArk Secure Infrastructure Access. In fact, only three servers are needed, as the others are for redundancy. Despite the higher cost of the SaaS solution versus the on-premises solution, the pension fund achieved more than €60,000 in annual direct savings by:

• Eliminating the need for Microsoft licenses and dedicated PCs for contractor access.
• Reducing third-party services, previously required to manage self-hosted environments and data centers.

These figures don’t include additional operational savings from reduced routine maintenance, which freed IT teams from tedious tasks and enabled them to focus on high-value business work and new projects.

“CyberArk helped reduce our workload by about 75%. Upgrades that used to take three days to deploy across relevant systems are now almost instantaneous, saving my team weeks of work every year. Now, they can focus on new business-critical projects that we didn’t have time for before.”
– Head of Identity & Access Management at European Pension Fund

The migration also strengthened the fund’s overall security stance and reduced risk.

“The biggest benefit we have from migrating to the cloud is more security,” said the head of identity & access management. “New features in the product, like integration with complementary tools, just-in-time access, and zero standing privileges improve efficiency and help reduce the threat of attack. Also, the user experience is better, and we can handle change much faster.”

Integrating with other complementary security tools also enhanced the fund’s defenses against hackers seeking privileged access via Active Directory. CyberArk Secure Browser has significantly reduced the company’s exposure to common attack vectors such as cookie-based access to Azure.

One of the key challenges for any financial organization is meeting and especially proving that it can meet financial regulations. Compliance with strict regulations like DORA and the SWIFT Customer Security Programme is now easier to demonstrate with CyberArk Identity Security Platform as the fund can generate reports showing how privileged access is managed and controlled in as little as one hour.

“CyberArk makes regulatory compliance much easier,” said the head of identity & access management. “Reporting is stronger, and because all privileged access is centralized, we can clearly show how we securely manage access. Doing this without CyberArk is difficult and time-consuming.”

The fund’s head of identity & access management added, “CyberArk’s Identity Security Platform is very important to our business. We operate in the financial sector, which has lots of compliance demands, and with CyberArk managing and controlling privilege access, it is very easy to meet regulatory requirements.”

Key benefits

With CyberArk, the retail mortgage lender moved from risky, scattered, and labor-intensive password practices to a centralized, auditable identity security platform with strengthened security controls.

• Saves over €60,000 a year in real costs
• Reduces burden on IT by up to 75%
• Enables financial regulation reporting in as little as one hour
• Simplifies compliance auditing and reporting for financial services
• Improves user experience
• Reduces maintenance resources by reducing infrastructure from 50 servers to 6