Dutch pension funds aren’t sufficiently in control of data security and outsourcing risks, according to regulator De Nederlandsche Bank (DNB).

In its newsletter it said that they must evaluate security more often, stop information leaks more quickly and be more alert regarding outsourcing risks, in particular the use of cloud storage.

DNB checked an unspecified number of pension funds for 54 criteria.

The supervisor noted that, compared to 2010, pension funds had improved on safety in programming software, increased the risk-awareness of their staff and improved co-operation on cybersecurity expertise.

However, it emphasised that pension funds must increase their investments in the quality of IT risk management, the monitoring of outsourced tasks, the testing of adjustments and “patch management”.

IT risk management needed more frequent evaluation and maintenance, DNB said, to prevent falling behind on “continuously changing cyber-risks”.

DNB found that no more than 60% of software security patches were installed within two days of being issued, and that full cover was only reached in 60 days, which it deemed “too long”.

The regulator announced an additional survey into data security, which would include an assessment of how quickly a pension fund was able to return to business as usual following a hack.

Drawing on another survey, the watchdog noted that pension funds and insurers increasingly outsourced data storage to cloud-based providers without a sufficient view on data security, continuity or the quality of the outsourcing partner.

It found that pension funds often weren’t aware that their data were stored in the cloud, which must be reported to DNB.

The supervisor said its survey had been an eye-opener to the sector, quoting a participating institution as saying that it had changed from “subconsciously incapable to consciously incapable”.