There has been “insufficient improvement” of operational cyber resilience in the Dutch pension sector, according to Dutch central bank and regulator, De Nederlandsche Bank (DNB).

Its sector-wide analysis of information security 2023 among Dutch pension funds and pension administration organisations found that the role and explicit knowledge of directors and (internal) supervisors for sound (IT) risk management requires more attention.

The bank said this includes establishing a risk appetite in the field of cyber risks and residual risks and continuously evaluating and improving control measures based on a current threat assessment.

More specifically, DNB has identified three important outcomes as a result of the analysis; business continuity measures have not been sufficiently tested; the implementation of critical security patches has not improved; and, risk management is not sufficiently mature at all institutions in the pension sector.

In regard to the first outcome, DNB’s analysis shows that self-administered pension funds lag pension administration organisations when it comes to business continuity. However, approximately 60 per cent of self-administered funds indicate that they will have carried out such tests by 2022. In 2024, DNB said it will pay extra attention to the operational (cyber) resilience of the sector.

“DNB emphasises the importance of thorough preparation for both operational and (cyber) disasters and expects all pension funds and pension administration organisations to regularly test their measures. When performing tests, it is important that critical and important outsourcing relationships are also involved. These relationships are now often not part of the tests,” the bank stated.

On the subject of critical security patches, DNB’s analysis shows that pension funds and pension administration organisations pay slightly less attention to the controlled and accelerated implementation of critical security patches compared to the previous year. The average implementation time is now 3.5 days, a slight deterioration from 3.3 days in the previous year.

“DNB draws attention to a rapid response by pension funds and pension administration organisations to potential security breaches in their (outsourced) IT infrastructure and IT applications. Further accelerating a controlled implementation of critical patches at the institution itself, as well as throughout the entire outsourcing chain, contributes to this. Various threat assessments show that immediately after the release of a critical security patch, the number of (successful) hacks increases. The interconnectedness of IT systems in outsourcing chains increases the chance of a successful attack or disruption as vulnerabilities remain open for a longer period of time,” DNB explained.

Finally, DNB’s sector-wide analysis of information security 2023 also shows that the anchoring of IT and cyber resilience in the entire risk management cycle is lagging behind.

The analysis shows that 21 per cent of pension funds and pension administration organisations cannot sufficiently demonstrate that their risk assessments are mature. However, this is an improvement compared to the previous year’s 32 per cent.

In other positive news, the demonstrable maturity of processes that follow up on risk improvement plans has also improved: 26 per cent of pension funds and pension administration organisations indicate that they cannot sufficiently demonstrate maturity, compared to 39 per cent last year.

In addition, 20 per cent of pension funds and pension administration organisations cannot sufficiently demonstrate a mature IT risk management framework, compared to 34 per cent last year.

Share Story: