DNB published their findings in a sector-wide analysis on information security for 2023 among Dutch pension funds and pension execution organizations. It is highlighted that the role and explicit knowledge of directors and (internal) supervisors require more attention for robust (IT) risk management. This includes cyber risks and residual risks and continually evaluating and improving control measures based on current threat assessments.
Three key findings emerge from the analysis:
– Business continuity measures are inadequately tested
While pension execution organizations in the Netherlands pay thorough attention to designing and testing their business continuity measures, self-administered pension funds lag behind in focusing on business continuity. In 2024, DNB will specifically focus on the sector’s operational (cyber) resilience, looking at the role and explicit knowledge of directors and internal supervisors, the control of IT and cyber risks in outsourcing chains, and involving critical outsourcing relationships in business continuity tests
– Implementation of critical security patches has not improved
The analysis reveals that pension funds and execution organizations in the Netherlands are slightly slower in implementing critical security patches compared to the previous year. DNB urges faster responses to potential security vulnerabilities in IT infrastructure and applications. Accelerating the controlled implementation of critical patches within the institution and throughout the outsourcing chain is essential due to increased risks right after the release of such patches
– Risk management maturity varies among institutions in the pension sector
The sector-wide analysis indicates that the integration of IT and cyber resilience in the entire risk management cycle lags behind in some institutions. While 21% of pension funds and execution organizations cannot sufficiently demonstrate the maturity of their risk assessments, there is still room for enhancement. The maturity of processes following risk improvement plans has improved, with 26% reporting insufficient maturity compared to 39% in the preceding year. Additionally, 20% of institutions cannot sufficiently demonstrate a mature IT risk management framework. DNB urges these institutions to demonstrate effective control of their information security risks.
This article provides insight into the major cyber risks facing the sector, emphasizing the need for risk mitigation.