‘Insufficient improvement’ of cyber resilience in Dutch pension sector - DNB

There has been “insufficient improvement” of operational cyber resilience in the Dutch pension sector, according to Dutch central bank and regulator, De Nederlandsche Bank (DNB).

Its sector-wide analysis of information security 2023 among Dutch pension funds and pension administration organisations found that the role and explicit knowledge of directors and (internal) supervisors for sound (IT) risk management requires more attention.

The bank said this includes establishing a risk appetite in the field of cyber risks and residual risks and continuously evaluating and improving control measures based on a current threat assessment.

More specifically, DNB has identified three important outcomes as a result of the analysis; business continuity measures have not been sufficiently tested; the implementation of critical security patches has not improved; and, risk management is not sufficiently mature at all institutions in the pension sector.

In regard to the first outcome, DNB’s analysis shows that self-administered pension funds lag pension administration organisations when it comes to business continuity. However, approximately 60 per cent of self-administered funds indicate that they will have carried out such tests by 2022. In 2024, DNB said it will pay extra attention to the operational (cyber) resilience of the sector.

“DNB emphasises the importance of thorough preparation for both operational and (cyber) disasters and expects all pension funds and pension administration organisations to regularly test their measures. When performing tests, it is important that critical and important outsourcing relationships are also involved. These relationships are now often not part of the tests,” the bank stated.

On the subject of critical security patches, DNB’s analysis shows that pension funds and pension administration organisations pay slightly less attention to the controlled and accelerated implementation of critical security patches compared to the previous year. The average implementation time is now 3.5 days, a slight deterioration from 3.3 days in the previous year.

“DNB draws attention to a rapid response by pension funds and pension administration organisations to potential security breaches in their (outsourced) IT infrastructure and IT applications. Further accelerating a controlled implementation of critical patches at the institution itself, as well as throughout the entire outsourcing chain, contributes to this. Various threat assessments show that immediately after the release of a critical security patch, the number of (successful) hacks increases. The interconnectedness of IT systems in outsourcing chains increases the chance of a successful attack or disruption as vulnerabilities remain open for a longer period of time,” DNB explained.

Finally, DNB’s sector-wide analysis of information security 2023 also shows that the anchoring of IT and cyber resilience in the entire risk management cycle is lagging behind.

The analysis shows that 21 per cent of pension funds and pension administration organisations cannot sufficiently demonstrate that their risk assessments are mature. However, this is an improvement compared to the previous year’s 32 per cent.

In other positive news, the demonstrable maturity of processes that follow up on risk improvement plans has also improved: 26 per cent of pension funds and pension administration organisations indicate that they cannot sufficiently demonstrate maturity, compared to 39 per cent last year.

In addition, 20 per cent of pension funds and pension administration organisations cannot sufficiently demonstrate a mature IT risk management framework, compared to 34 per cent last year.

    Share Story:

Recent Stories


Podcast: The benefits of private equity in pension fund portfolios
The outbreak of the Covid-19 pandemic, in which stock markets have seen increased volatility, combined with global low interest rates has led to alternative asset classes rising in popularity. Private equity is one of the top runners in this category, and for good reason.

In this podcast, Munich Private Equity Partners Managing Director, Christopher Bär, chats to European Pensions Editor, Natalie Tuck, about the benefits private equity investments can bring to pension fund portfolios and the best approach to take.

Podcast - The power of three: Using Common Contractual Funds to improve tax outcomes for investors
Large asset owners are still investing in equities in a way where they are taxed on their income. The implication is that they get a poorer return. They need to, and can, improve this, but how?

In this podcast, AMX Head of Client and Manager Development, Aaron Overy, and AMX Product Tax Specialist, Kevin Duggan, discuss with European Pensions Editor, Natalie Tuck, about three options to help ensure good withholding tax outcomes for institutional investors.

Mitigating risk
BNP Paribas Asset Management’s head of pension solutions, Julien Halfon, discusses equity hedging with Laura Blows

Advertisement